This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
lcako
Participant
‎2024-05-21 06:34 AM

Routing Problem

I have the topology in the picture, and the L2TP 192.168.18.100 route is not working, and I can't open the web page. Additionally, the route to IP 10.0.219.246 is not working. I have the PCs in my office that go through the firewall via a Mikrotik port. Strangely, the SAS page on VLAN 249 with IP 10.0.200.249 opens. The other page on VLAN 219, 10.0.219.246:9082, does not open. Both are on the same logic and pass through the same router; only the VLAN changes. Could it be blocked at the port? Is an allow policy needed? The general firewall policy is to allow communication between internal interfaces. I haven't made it strict because I know it blocks everything. The 192.168.18.100:8080 that is blocked seems like the same problem. Maybe the ports need to be allowed? My PC, which goes through the Mikrotik, opens the web page with VPN. However, the PC that goes through the firewall doesn't open it. I suspect the ports are being blocked.

Preview file
141 KB
Preview file
153 KB
0 Kudos
12 Replies
Duane_Toler
Advisor
‎2024-05-21 07:14 AM

First, uncheck "Show inactive routes" so we can see only the active routes.  If you have inactive routes, then you have a routing protocol administrative-distance (metric) problem.  Connected routes override static routes, which override all other routes (unless you have changed the protocol ranking manually).

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
lcako
Participant
‎2024-05-21 07:22 AM
In response to Duane_Toler

i put microtik instead of firewall, and it worked with the same routing method. when i put sg1575 firewall it doesnt work. I did your solution and i dont have inactive routes and the problem is still the same

Preview file
115 KB
0 Kudos
Duane_Toler
Advisor
‎2024-05-21 07:32 AM
In response to lcako

Have you checked the gateway firewall logs?  You may have an anti-spoofing problem on some interface.   I also see your default route is via a DMZ VLAN interface; this is unusual.  This interface would need to be an External (Internet) topology for anti-spoofing.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
lcako
Participant
‎2024-05-21 07:38 AM
In response to Duane_Toler

what is strange too is that ip from route in line 9 cam be pinged. also line 8 can be pinged. line 10 , 7 and 6 cannot be pinged. 

0 Kudos
Duane_Toler
Advisor
‎2024-05-21 07:42 AM
In response to lcako

After you check the logs and anti-spoofing, check the interior router and make sure it has valid return routes via the SMB 1575 gateway.  How is your L2TP client connecting to the network; is it connecting via the SG1575 external interface, or something else?  Check the active routes on the L2TP client to see if the routes are being installed correctly.  You can try traceroute, but this may be ambiguous for an L2TP client, so don't fall into a trap of troubleshooting the wrong problem if traceroute fails.  However, if it works, then that is excellent.

 

If line 9 can be pinged, but others cannot, check the internal router to make sure it has interfaces in "Up" state for those VLANs.  Check the hosts on those VLANs to make sure they can send return traffic via the internal router for your L2TP client (either default route, or something else).

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
lcako
Participant
‎2024-05-22 12:00 AM
In response to Duane_Toler

i reconfigured them again and i tried to removed static routes , config OSPF from firewall device/system/tools and i ping all of these ip from LAN 241 i cannot open them. from vlan of pc 241 in firewall i cannot open these ip , mostly web but from firewall i can ping them.

Preview file
198 KB
0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2024-05-21 07:38 AM

Which version/build firmware is this Spark device installed with?

CCSM R77/R80/ELITE
0 Kudos
lcako
Participant
‎2024-05-22 12:00 AM
In response to Chris_Atkinson

i reconfigured them again and i tried to removed static routes , config OSPF from firewall device/system/tools and i ping all of these ip from LAN 241 i cannot open them. from vlan of pc 241 in firewall i cannot open these ip , mostly web but from firewall i can ping them

Preview file
198 KB
0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2024-05-22 02:55 AM
In response to lcako

If a path using L2TP is in the mix have you configured MSS clamping (sk121114) at all?

Again, are you running R81.10.10 firmware (build 996002906) or something else?

Solved: Anti-Spoofing detection - Check Point CheckMates

 

 

CCSM R77/R80/ELITE
0 Kudos
lcako
Participant
‎2024-05-22 03:10 AM
In response to Chris_Atkinson

i did ospf routing and i found the solution 

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2024-05-22 05:04 AM
In response to lcako

Ok great - what was the solution so others can understand the problem/cause better?

CCSM R77/R80/ELITE
0 Kudos
kristait
Contributor
‎2024-09-05 08:04 AM
In response to lcako

hello @lcako, could you please share the solution, it will help us.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events