- CheckMates
- :
- Products
- :
- Quantum
- :
- Remote Access VPN
- :
- Re: What is the equivalent of Cisco "tunneled" rou...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the equivalent of Cisco "tunneled" route in Check Point to forward all traffic inbound from a VPN connection, straight to another device?
Hello,
I want my remote access users/clients to have a different "default route" than the one of the Security Gateway (R80.10). I want a way to tell the Security Gateway to forward all traffic inbound from a VPN connection, straight to another device.
In Cisco's world, you can achieve this with a "tunneled" route :
ASA 8.X: Routing SSL VPN Traffic through Tunneled Default Gateway Configuration Example - Cisco
This document describes how to configure the Adaptive Security Appliance (ASA) to route the SSL VPN traffic through the tunneled default gateway (TDG). When you create a default route with the tunneled option, all traffic from a tunnel terminating on the ASA that cannot be routed using learned or static routes is sent to this route. For traffic emerging from a tunnel, this route overrides any other configured or learned default routes.
How can this be done with R80.10 using a VS on a VSX in VSLS mode?
Please see attached diagram for more info.
Note : I wanted to use Policy-Based Routing, but it doesn't seem to be available with my setup based on the following document from Check Point : Policy-Based Routing (PBR) on Gaia OS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't believe it is possible to do this, but I could be wrong.
What is the actual problem you're trying to solve (i.e. why are you trying to forward all VPN traffic to a specific nexthop)?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is already a Virtual System (VS) in place, on a VSX in VSLS, running R80.10. This VS is providing Internet access to internal users and is running the following blades:
- Firewall
- Application Control
- URL Filtering
- Identity Awareness
- Monitoring
- IPS
- Anti-Bot
- Anti-Virus
We now have to provide remote access to approximately 150 concurrent remote users and site-to-site VPN to approximately 5 to 10 remote sites.
Remote users need to access internal services and to browse the Internet while being filtering just like the internal users.
There are approximately 6000 internal users.
I'm looking for the best setup. Should I put everything on one VS? Or should I create another one? If I create another one, what services and blades do I put on it?
I didn't find any written references, guidelines, recommandations in the Check Point world, so any help is welcome!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you've already got VSX going, adding another "Remote Access" VS seems like a good way to resolve the issue.
All you'd need on that VS would be FW + VPN + Identity Awareness.
That said, that sort of approach is going to cause additional load on your Internet pipe and the gateway, particularly if most of the Remote Access traffic is going to the Internet anyway.
You may want to look into Capsule Cloud, which can enforce the same policy "in the cloud" without routing all your traffic back to your premise.
Both VPN clients can coexist on your client PCs.