This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
NorthernNetGuy
Advisor
‎2023-03-28 07:24 AM
Jump to solution

Exclude single IP from Peer VPN IP range

I have a VPN community for a B2B connection set up, with their VPN Domain containing a /21, that all works fine.

 

There is 1 IP address in that /21 that is for a public website that we don't want to to route over the VPN, and I'm trying to figure out how to exclude it from being routed over that VPN. 

 

I've tried setting up a NAT rule to translate the source to an different IP than the one used for that community, but it still attempts to route over the VPN.

 

I've also tried setting up a static route, setting the next hop to the IP used as our default gateway.

 

How would I exclude an address from being routed thru that domain?

0 Kudos
1 Solution

Accepted Solutions
Danny
MVP Diamond
MVP Diamond
‎2023-03-28 07:59 AM
Jump to solution

crypt.def is your friend

View solution in original post

9 Replies
Danny
MVP Diamond
MVP Diamond
‎2023-03-28 07:59 AM
Jump to solution

crypt.def is your friend

NorthernNetGuy
Advisor
‎2023-03-28 08:18 AM
In response to Danny
Jump to solution

Thanks Danny! The SK for crypt.def was a little daunting and not clear how to specifically exclude an address, but that posts solution explains it very well!

0 Kudos
NorthernNetGuy
Advisor
‎2023-03-28 08:34 AM
In response to Danny
Jump to solution

I also just discovered that exclusion group objects exist. Do you know if using an exclusion group would cause any issues if I use that as the Satellite VPN domain?

It would be a simpler approach and be easier to share with my other techs.

0 Kudos
Danny
MVP Diamond
MVP Diamond
‎2023-03-28 09:31 AM
In response to NorthernNetGuy
Jump to solution

As this article describes, groups with exclusions may have issues when used with VPN encryption domains. It might work, just test it and keep a close eye on the calculated result. I understand you are looking for an easy solution. However, your task it not easy by design. You could also create a group containing multiple network objects describing your /21 network without that single IP address in order to use that manually crafted network group as your new encryption domain. However, keep in mind Check Point performs supernetting by default, so you might still end up with a /21 encryption domain. That's why crypt.def is your friend.

NorthernNetGuy
Advisor
‎2023-03-28 10:56 AM
In response to Danny
Jump to solution

I really appreciate the in depth response! I'll experiment with the exclusion group, but it looks like I'll likely need to go with defining an exclusion within crypt.def. 

I'll try and update this post with my results once I've tested, for anyone that might stumble upon this post in the future.

0 Kudos
AleLovaz82
Collaborator
Collaborator
‎2023-03-28 11:11 AM
In response to Danny
Jump to solution

I use this
> You could also create a group containing multiple network objects describing your /21 network without that single IP address in >order to use that manually crafted network group as your new encryption domain.

+ force the firewall to use a specific subnet editing user.def.FW1

0 Kudos
AleLovaz82
Collaborator
Collaborator
‎2023-03-28 11:10 AM
In response to NorthernNetGuy
Jump to solution

TAC told me that exclusion group as encryption domain are not supported even if you can use them from Smart Console

>- Exchanged the network group with exclusions(not supported in the encryption domain) with a standard network group

0 Kudos
PhoneBoy
Admin
Admin
‎2023-03-28 03:51 PM
In response to AleLovaz82
Jump to solution

Exclusion groups ARE supported for Remote Access VPN: https://support.checkpoint.com/results/sk/sk167000
However, that’s relatively recent and for the specific use case it was designed for (Remote Access).

0 Kudos
AleLovaz82
Collaborator
Collaborator
‎2023-03-29 04:53 AM
In response to PhoneBoy
Jump to solution

ok , i used them in s2s vpn 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events