Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Routing config for Checkpoint 750 and MPLS

Hi all,

I have a customer with a new MPLS network and a Checkpoint 750 in place as per the diagram below. A few notes:

1. MPLS acts as a private network for the customer

2. Internet access for Branch office has to go through HO

- I've configured the DMZ port for the private network and have full connectivity between HO and the branch network. However, the branch PCs can't access the Internet. I have (I think) all the correct routes and policies in place. When I try to browse the web from the branch office, I can see DNS and HTTPS activity from the branch office in the firewall logs (all allowed), but the web sessions never connect. There are no proxies in use and PC firewall is off. ICMP also fails from the branch PC to the web (but is ok for HO LAN).

The other option would be to go straight from the MPLS to our network switch at HO, but we want to have the option to restrict branch traffic and investigate logs. Is this a firewall issue, or an MPLS routing issue? Any and all help/suggestions appreciated

Thanks,

David

network.jpg

0 Kudos
4 Replies
Highlighted
Admin
Admin

Re: Routing config for Checkpoint 750 and MPLS

Have you verified (with tcpdump or similar) the traffic is going out the correct interface?
If it is, then it's possible the issue is upstream from your gateway.
0 Kudos
Highlighted

Re: Routing config for Checkpoint 750 and MPLS

Thanks Phone Boy. Unfortunately the issue became urgent to fix so we had to bypass the firewall for now. If I get a chance, I'll setup a test environment and re-test this...

0 Kudos
Highlighted
Silver

Re: Routing config for Checkpoint 750 and MPLS

So your internet is terminated on Router? And I understood correctly to go internet it will come to router then down to firewall and NAT it and route it back to internet i.e. to the same router?

 

0 Kudos
Highlighted

Re: Routing config for Checkpoint 750 and MPLS

Correct. One router with both Public and Private network split across virtual circuits. I could see web traffic from the remote branch hitting the firewall (and being allowed), but then timing out on the PC. I suspect it's an issue on the router, but upstream provider suggests otherwise. Would love to sort it out as that design is our preferred one (bypasing firewall even for the Private Network adds some risk).

0 Kudos