Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
David_Mosca
Explorer

Routing config for Checkpoint 750 and MPLS

Hi all,

I have a customer with a new MPLS network and a Checkpoint 750 in place as per the diagram below. A few notes:

1. MPLS acts as a private network for the customer

2. Internet access for Branch office has to go through HO

- I've configured the DMZ port for the private network and have full connectivity between HO and the branch network. However, the branch PCs can't access the Internet. I have (I think) all the correct routes and policies in place. When I try to browse the web from the branch office, I can see DNS and HTTPS activity from the branch office in the firewall logs (all allowed), but the web sessions never connect. There are no proxies in use and PC firewall is off. ICMP also fails from the branch PC to the web (but is ok for HO LAN).

The other option would be to go straight from the MPLS to our network switch at HO, but we want to have the option to restrict branch traffic and investigate logs. Is this a firewall issue, or an MPLS routing issue? Any and all help/suggestions appreciated

Thanks,

David

network.jpg

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

Have you verified (with tcpdump or similar) the traffic is going out the correct interface?
If it is, then it's possible the issue is upstream from your gateway.
0 Kudos
David_Mosca
Explorer

Thanks Phone Boy. Unfortunately the issue became urgent to fix so we had to bypass the firewall for now. If I get a chance, I'll setup a test environment and re-test this...

0 Kudos
Blason_R
Leader
Leader

So your internet is terminated on Router? And I understood correctly to go internet it will come to router then down to firewall and NAT it and route it back to internet i.e. to the same router?

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
David_Mosca
Explorer

Correct. One router with both Public and Private network split across virtual circuits. I could see web traffic from the remote branch hitting the firewall (and being allowed), but then timing out on the PC. I suspect it's an issue on the router, but upstream provider suggests otherwise. Would love to sort it out as that design is our preferred one (bypasing firewall even for the Private Network adds some risk).

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events