This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
flwsterN
Contributor
‎2023-01-20 12:17 PM
Jump to solution

When Enable VPN routing to Internet, Firewall looses internet connectivity

I have two Gateways X and Y.

 

 

I have 3 internal networks on X that if going to internet i want to route via Y. The moment i enable it my SMS looses connectivity to X (externally managed). But my internal networks on X gets routed thru Y. So thats works.

 

I can ssh to the internal mgmt address of X (s2s vpn). Everything works but my X firewall itself cant reach internet or my SMS.

 

In the vpn domain between X and Y i have only specified the 3 local networks of X. So i really dont understand why the firewall looses connectivity?

 

See attached pictures.

 

 

 

 

 

 

 

Preview file
20 KB
Preview file
12 KB
Preview file
26 KB
Preview file
114 KB
Preview file
4 KB
0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend
‎2023-01-31 06:06 AM
In response to flwsterN
Jump to solution

100% its supported, I know multiple customers that did it in different versions. 

View solution in original post

0 Kudos
7 Replies
the_rock
Legend
Legend
‎2023-01-20 02:03 PM
Jump to solution

Do the zdebug on the firewall and see why its getting dropped...or look at the logs on the management, it would give you a good idea, for sure.

0 Kudos
flwsterN
Contributor
‎2023-01-20 02:10 PM
In response to the_rock
Jump to solution

its not getting dropped.

The problem is that my X firewall has 20 networks, 17 of them should go through the regular default route and 3 networks should go through the VPN tunnel and out to the internet that way. When I enable VPN routing, all 20 networks go over the VPN tunnel despite the other 17 not being specified in the VPN domain. The X firewall is also trying to go through the VPN tunnel when, for example, I ping 1.1.1.1 from the CLI.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-01-20 03:20 PM
Jump to solution

Version/JHF level of gateways?
Are you using Route-Based VPN or Domain-Based VPN?
I suspect you'll need a combination of Route-Based VPN and PBR to achieve this goal.
Something similar to the following albeit with different criteria: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
flwsterN
Contributor
‎2023-01-26 01:16 AM
In response to PhoneBoy
Jump to solution

Hi Phoneboy,

 

Thanks for you reply. Im now able to access internet thru my tunnel, i had to uncheck my external to be in included ip in the VPN  Domain under Network Management on the gateway, im running R81.20 MGMT and R81.10 take 81 on gates. However now im facing the issue that i need to NAT incoming external traffic back in the tunnel to a internal host. I see that i tries to NAT the traffic to the correct host but it does not go in the tunnel, the VPN domains are correctly setup.

(1)
the_rock
Legend
Legend
‎2023-01-26 04:09 AM
In response to flwsterN
Jump to solution

Yes, thats nice option included in R81.20 version, to exclude external IP from enc domain in smart console, which was never there before, had to be done in crypt.def file I believe. Regardless, for your other issue, make sure NAT option is not disabled within the VPN community setting (last option on the left) and if so, create manual nat rule to reflect needed changes.

0 Kudos
flwsterN
Contributor
‎2023-01-31 05:57 AM
In response to the_rock
Jump to solution

Hi the_rock,

 

Thank you for your input, and sorry for my late answer. I talked with Checkpoint TAC and they referred do this, 

Destination NAT traffic not encrypted when the original destination included in the NATting gateway ...

I setup a route-based VPN but i couldnt get PBR to work even tough it should be supported. So i kind of gave up on this solution.

0 Kudos
the_rock
Legend
Legend
‎2023-01-31 06:06 AM
In response to flwsterN
Jump to solution

100% its supported, I know multiple customers that did it in different versions. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events