This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
skandshus
Advisor
Advisor
‎2021-08-11 12:55 PM

Strange issue with routing/nat on site-2-site

Hi everyone.. 

I am hosting a service for a customer on a public accessible IP address…  i have then set up a site-2-site vpn for backup purposes because the customer also has a local server that needs backup.

 

the setup is.

local customer subnet192.168.80.0/24 & 192.168.50.0/24 (with client that needs to access navision service at my public ip.

 

the customer is accessing an RDP service using dns name navision.it-connect.nu

it resolves to my external ip 194.182.21.148

on the customer site I have a 1570 appliance

and In my hosting center I’m running checkpoint open server.

the local subnet for the navision server is 10.10.114.2

I have both firewall and nat rule in place allowing remote access.. everything is fine..

 

But I need to establish a site to site vpn from MY local subnet at the hosting center at 10.10.150.0/24 because I need to take a backup of a server at the customer local site.. that server is located at 192.168.80.0/24

 

i can establish the site to site tunnel fine and everything is working. But when I do that, then it is no longer possible for the customer at their local subnet 192.168.0.0/24 & 192.168.50.0/24 to access the navision server any longer, even though both the navision subnet AND the customers local subnet has not been defined in the encryption domain(which is on purpose)..


can anybody shed some light on what is happening ? I have another customer where this is not an issue… I even tried to do a copy/paste of the vpn community setup to rule out error, but it still blocks the remote access.. 

 

 

so I’m short.. vpn tunnel connects successfully allowing my backup server to reach customer subnet and do the backup but it breaks the customers access to the navision server when they try to reach it using the dns name/wan up address..

0 Kudos
6 Replies
G_W_Albrecht
Legend
Legend
‎2021-08-12 07:22 AM

Is your external ip 194.182.21.148 included in the encryption domain ?

CCSE CCTE CCSM SMB Specialist
0 Kudos
skandshus
Advisor
Advisor
‎2021-08-12 07:25 AM
In response to G_W_Albrecht

No the external Ip is not included… on purpose though.. wouldn’t that cause issues?

0 Kudos
G_W_Albrecht
Legend
Legend
‎2021-08-12 07:34 AM
In response to skandshus

As the clients try to connect to that IP, it would cause issues, so i have asked 😎 Are the clients NATed behind the GW IP ?

CCSE CCTE CCSM SMB Specialist
0 Kudos
skandshus
Advisor
Advisor
‎2021-08-12 07:54 AM
In response to G_W_Albrecht

Both subnet on each side is behind hide nat on the gateway… 

 

from my perspective I would expect the subnets to only be routed, if a host would try to access navision.it-connect:8787

i would expect them to hit the wan interface and NOT for some reason go through the tunnel.. even though the IP address /gateway is also used as the peer gateway.. and I have no idea how to “explain” it regarding a TAC and making sure they understood 100% what the problem is..

 

 

0 Kudos
G_W_Albrecht
Legend
Legend
‎2021-08-12 08:09 AM
In response to skandshus

Try to exclude only Microsoft Remote Desktop on TCP port 3389 from your VPN Community.

CCSE CCTE CCSM SMB Specialist
0 Kudos
skandshus
Advisor
Advisor
‎2021-08-12 12:28 PM
In response to G_W_Albrecht

i didnt even know it possible to "exclude" that.. how would you go around doing that?

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Thu 25 Apr 2024 @ 10:00 AM (CEST)

    The Anatomy of a Cloud Hack by NotSoSecure - EMEA Session

    Thu 25 Apr 2024 @ 06:00 PM (IDT)

    The Anatomy of a Cloud Hack by NotSoSecure - America Session
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Wed 01 May 2024 @ 02:00 PM (EDT)

    South US: HTTPS Inspection Best Practices
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Wed 01 May 2024 @ 02:00 PM (EDT)

    South US: HTTPS Inspection Best Practices
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Thu 02 May 2024 @ 10:00 AM (CEST)

    CheckMates Live BeLux: How Can Check Point AI Copilot Assist You?
    CheckMates Events