cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
Nickel

VPN Remote Access - Enable Visitor Mode on This Interface

Jump to solution

Hi Team,


We have 14 public IP addresses bound to our WAN port.
The public IP of the wan is A.B.C.1.

We want to dedicated the IP A.B.C.2 for the remote access VPN. This IP (A.B.C.2) is not assigned to any internet.

We have performed the following change:
Device > Advanced > Advanced Settings >
- VPN Remote Access - Enable Visitor Mode on This Interface = A.B.C.2

Despite this configuration, the firewall is not responding to vpn requests from remote users.
I have performed the following test:
- With a tcpdump on WAN interface, I have observed that the gateway does not answer the ARP Requests related to the IP A.B.C.2


My question is:
Can we assign an IP does not belong to an external interface in the option "Device > Advanced > Advanced Settings > VPN Remote Access - Enable Visitor Mode on This Interface"?

 

Regards

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Nickel

Re: VPN Remote Access - Enable Visitor Mode on This Interface

Jump to solution

Hi All,

I have received answer from the TAC:

Visitor mode is relevant only for configured interfaces on the appliances.
You can't establish VPN C2S to IPs which are not interfaces

 

 

View solution in original post

0 Kudos
9 Replies
Highlighted
Admin
Admin

Re: VPN Remote Access - Enable Visitor Mode on This Interface

Jump to solution
As far as I know, you can't do this.
What is the logic behind your request?
0 Kudos
Highlighted

Re: VPN Remote Access - Enable Visitor Mode on This Interface

Jump to solution
All you need to do is add a proxy ARP for the .2 address on the external interface. Do not forget to set the Global property to "Merge manual proxy ARP configuration" and push the policy after adding the proxy ARP.
Command for adding the proxy arp:
add arp proxy ipv4-address A.B.C.2 macaddress 11:22:33:44:55:66 real-ipv4-address A.B.C.1
Regards, Maarten
Highlighted
Nickel

Re: VPN Remote Access - Enable Visitor Mode on This Interface

Jump to solution

Hi PhoneBoy
This is a migration from other firewall to checkpoint and there is a nat rule on the wan interface with https using by many partners: disable this feature is not suitable for the customer, that impact many users.

Hi Maarten,
Thanks for your help. This a SMB appliance (700) locally managed. I have seen the sk114531 related to your instruction and I will try this.

 

Regards

Constant NSAH

0 Kudos
Highlighted
Nickel

Re: VPN Remote Access - Enable Visitor Mode on This Interface

Jump to solution

Hello,

I have tried sk114531 and the gateway answers the ARP Requests related to the IP A.B.C.2 but the VPN still failed.

I will contact TAC.

 

0 Kudos
Highlighted
Nickel

Re: VPN Remote Access - Enable Visitor Mode on This Interface

Jump to solution

Hi All,

I have received answer from the TAC:

Visitor mode is relevant only for configured interfaces on the appliances.
You can't establish VPN C2S to IPs which are not interfaces

 

 

View solution in original post

0 Kudos
Highlighted
Admin
Admin

Re: VPN Remote Access - Enable Visitor Mode on This Interface

Jump to solution
That actually makes sense because Visitor Mode requires making a TCP connection to the gateway on port 443.
You can't do that unless your gateway is listening on that IP.
0 Kudos
Highlighted

Re: VPN Remote Access - Enable Visitor Mode on This Interface

Jump to solution

It seems to me it will be easier for you to change the main WAN IP to .2 and leave the .1 only for the NATs. 

That way you don't have to deal with all the partners and the VPN keeps the same IP address.

 

0 Kudos
Highlighted
Nickel

Re: VPN Remote Access - Enable Visitor Mode on This Interface

Jump to solution

Thank for your comment. This is a last solution that we plan to do. As I have written before, there is many services published on this IP, and these services are used by many partner.

0 Kudos
Highlighted

Re: VPN Remote Access - Enable Visitor Mode on This Interface

Jump to solution

What I suggested was to change only the main WAN address to A.B.C.2, which will enable you to use Remote Access VPN on that address.

You can keep the published pages and services (except VPN) on IP address A.B.C.1 or any other address of your range, provided you set the correct proxy ARP and NAT rules.

This seems to be the way to cause least impact on your partners and VPN clients.

The only affected services would be site-to-site VPNs, if you have any, which will have to move from A.B.C.1 to A.B.C.2, but I think it is better to make changes to site-to-site than client-to-site, specially if you don't have a DNS for that.

So:

No impact for published pages

No impact for VPN clients

Easy to fix impact on site-to-site VPNs.

0 Kudos