This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Yousef
Explorer
‎2020-04-13 08:23 AM
Jump to solution

Enterprise to VPN User without site to site VPN

Hello,

I'm using CheckPoint 750 Appliance at work.

We installed VPN EndPoint at each remote User, the VPN is having a pool of 172.16.10.*

The local Network where the gateway is installed, it is using 10.4.0.*

The developers are developing a service at port 9000 in their computers, and when they were in the company, they simply called an API from the local network (For ex. 10.4.0.10) to their computer (10.4.0.*:9000 and it worked.

Now when they moved their PCs to work from home, they connect using the VPN, they are able to access all the local network, so that all Servers and services that are using 10.4.0.* are reachable, however, the opposite is not true.

None of the Server / Computers at the office (10.4.0.*) are able to connect back to the VPN remote users.

The users are trying to call API requests from Servers at the office (say 10.4.0.10) to their own computers, say 172.16.10.5:9000 , it fails.

10.4.0.* can't even ping any host in the VPN IPs.

My Appliance is manage by an ISP, but they are still not able to solve the issue, it has been a week already. Is it something that is feasible or not? I know that Site to Site is supposed to work (although we haven't tested it), but what about Point to Site?

VPN Users (172.16.10.*) need to be reached "reversely" from the work network (10.4.0.*).

I thought when I connect to the VPN, the VPN object and the local object are both connected and can communicate to each other without a problem.

I'm looking for advice since my ISP is not able to solve the problem yet. Am I asking for something that can't be done by Point to Site?

Let me know of any feasible solution so that I can consult my ISP to do it when they get back to me again.

Thank you.

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2020-04-14 10:05 PM
In response to Yousef
Jump to solution

That firmware revision is quite old and you should upgrade for...many reasons.
I presume you'd need a rule that permits your internal network to talk to the Office Mode addresses in the Outgoing section.

View solution in original post

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2020-04-14 02:06 PM
Jump to solution

Have you created an explicit rule to allow this sort of communication?
0 Kudos
Yousef
Explorer
‎2020-04-14 09:58 PM
In response to PhoneBoy
Jump to solution

My ISP added the following rules:

Incoming, Internal and VPN traffic:

LAN Network (10.4.0.*) -> VPN Remote Access -> Any Service, Accept

LAN Network (10.4.0.*) -> Office_mode  (same range 172.16.10.0) -> Any Service, Accept

VPN Remote Access -> VPN Remote Access -> Any Service, Accept

This Gateway (external IP) -> Office_mode (same range 172.16.10.0) -> Any Service, Accept

Outgoing:

Nothing specific that handles this

NAT rules:

Hide internal networks behind the Gateway's external IP address [ON]

Manual NAT rules:

Original Source (Any), Original Destination (Office_mode), Original Service (Any), Translated Source (Original), Translated Destination (Original), Translated Service (Any)

==

This configuration is not working. Backlinks to the Office_mode are not working without Office_mode initiating the session. So we can't access any open port in the Office_mode/VPN Users computers.

I'm not sure if that matters, but the system's firmware version is R77.20.31 (990170960)

Yousef.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-04-14 10:05 PM
In response to Yousef
Jump to solution

That firmware revision is quite old and you should upgrade for...many reasons.
I presume you'd need a rule that permits your internal network to talk to the Office Mode addresses in the Outgoing section.
0 Kudos
Yousef
Explorer
‎2020-04-14 10:08 PM
In response to PhoneBoy
Jump to solution

Thank you. I will let my ISP do the change, and hopefully convince them to upgrade the firmware.

After that, I will post a reply and accept the solution in case that solved the problem.

0 Kudos
Yousef
Explorer
‎2020-04-21 04:48 AM
In response to PhoneBoy
Jump to solution

Upgrading the firmware and adding outgoing solved the issue. Thank you.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events