Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Basyuk
Contributor

Use specific internal IP for connection from Checkpoint 1430

Hello!

I would like to run a script for copy file from server on checkpoint 1430, but it's accessed from external IP.

In sk119415 was recommended use command fw ctl set int fw_enc_conns_use_internal 1

If you use this command checkpoint, then checkpoint uses any internal IP from its interfaces.

How can I set a specific IP for this purpuse?

Firmware version 77.20.87

0 Kudos
6 Replies
G_W_Albrecht
Legend Legend
Legend

In sk119415 we learn about IPSec VPN tunnels peer IPs - you can select using Advanced Settings to use internal IP for VPN tunnels on locally managed SMB, or using fw ctl set int fw_enc_conns_use_internal 1 on centrally Managed SMBs. There is no way to set it to a specific internal IP, but you can try to define a Bridge with the internal IP you want and add all LAN ports (or a Switch with all LAN ports) and WLAN. For outgoing IPSec, this internal IP should be used.

So please explain which client should start a copy from server to which target ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Basyuk
Contributor

Thank you, but I am not understand method with use Bridge.

For exaple:

My SMB device has a two interfaces with subnet (LAN1 - 10.1.1.1, LAN2 - 172.30.1.1).
Or SMB has a one interface with two vlans (LAN1.1111 - 10.1.1.1, LAN1.1112 - 172.30.1.1)

I use SmartProvisioning for run script, that writes interfaces configuration to the file and copy this file to my PC (use SCP).

I have the ability to allow access to my PC only from 10.1.1.1.

How can I do it? 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

I am sorry, but i do not understand where the IPSec VPN tunnel comes in here. Bridge is fully covered in the Admin Guide, i would start with it first.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Basyuk
Contributor

My computer is located behind another checkpoint. 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Oh, you want to manipulate the source IP so it does not come from WAN IF but internal SMB IF. Better idea: Let the script send it to a watched client folder in this SMBs local network first and resend it to you from that client 😎

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Basyuk
Contributor

At this moment I am using the following method:

1. Enable bashUser for admin and run my script in SmartProvisioning

2. Run script from my PC that copy this files to my PC with help putty (pscp)

3. Disable bashUser for admin

I thought there was a way to do it through SmartProvisioning:( 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events