This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Constant
Contributor
‎2019-07-20 04:57 AM
Jump to solution

VPN Remote Access - Enable Visitor Mode on This Interface

Hi Team,


We have 14 public IP addresses bound to our WAN port.
The public IP of the wan is A.B.C.1.

We want to dedicated the IP A.B.C.2 for the remote access VPN. This IP (A.B.C.2) is not assigned to any internet.

We have performed the following change:
Device > Advanced > Advanced Settings >
- VPN Remote Access - Enable Visitor Mode on This Interface = A.B.C.2

Despite this configuration, the firewall is not responding to vpn requests from remote users.
I have performed the following test:
- With a tcpdump on WAN interface, I have observed that the gateway does not answer the ARP Requests related to the IP A.B.C.2


My question is:
Can we assign an IP does not belong to an external interface in the option "Device > Advanced > Advanced Settings > VPN Remote Access - Enable Visitor Mode on This Interface"?

 

Regards

0 Kudos
1 Solution

Accepted Solutions
Constant
Contributor
‎2019-07-25 07:22 AM
In response to Constant
Jump to solution

Hi All,

I have received answer from the TAC:

Visitor mode is relevant only for configured interfaces on the appliances.
You can't establish VPN C2S to IPs which are not interfaces

 

 

View solution in original post

0 Kudos
9 Replies
PhoneBoy
Admin
Admin
‎2019-07-20 04:25 PM
Jump to solution

As far as I know, you can't do this.
What is the logic behind your request?
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-07-21 02:24 PM
Jump to solution

All you need to do is add a proxy ARP for the .2 address on the external interface. Do not forget to set the Global property to "Merge manual proxy ARP configuration" and push the policy after adding the proxy ARP.
Command for adding the proxy arp:
add arp proxy ipv4-address A.B.C.2 macaddress 11:22:33:44:55:66 real-ipv4-address A.B.C.1
Regards, Maarten
Constant
Contributor
‎2019-07-22 12:20 AM
In response to Maarten_Sjouw
Jump to solution

Hi PhoneBoy
This is a migration from other firewall to checkpoint and there is a nat rule on the wan interface with https using by many partners: disable this feature is not suitable for the customer, that impact many users.

Hi Maarten,
Thanks for your help. This a SMB appliance (700) locally managed. I have seen the sk114531 related to your instruction and I will try this.

 

Regards

Constant NSAH

0 Kudos
Constant
Contributor
‎2019-07-23 11:04 PM
In response to Constant
Jump to solution

Hello,

I have tried sk114531 and the gateway answers the ARP Requests related to the IP A.B.C.2 but the VPN still failed.

I will contact TAC.

 

0 Kudos
Constant
Contributor
‎2019-07-25 07:22 AM
In response to Constant
Jump to solution

Hi All,

I have received answer from the TAC:

Visitor mode is relevant only for configured interfaces on the appliances.
You can't establish VPN C2S to IPs which are not interfaces

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2019-07-26 10:36 AM
In response to Constant
Jump to solution

That actually makes sense because Visitor Mode requires making a TCP connection to the gateway on port 443.
You can't do that unless your gateway is listening on that IP.
0 Kudos
Pedro_Espindola
Advisor
‎2019-07-25 10:15 AM
In response to Constant
Jump to solution

It seems to me it will be easier for you to change the main WAN IP to .2 and leave the .1 only for the NATs. 

That way you don't have to deal with all the partners and the VPN keeps the same IP address.

 

0 Kudos
Constant
Contributor
‎2019-07-25 11:03 PM
In response to Pedro_Espindola
Jump to solution

Thank for your comment. This is a last solution that we plan to do. As I have written before, there is many services published on this IP, and these services are used by many partner.

0 Kudos
Pedro_Espindola
Advisor
‎2019-07-26 04:42 PM
In response to Constant
Jump to solution

What I suggested was to change only the main WAN address to A.B.C.2, which will enable you to use Remote Access VPN on that address.

You can keep the published pages and services (except VPN) on IP address A.B.C.1 or any other address of your range, provided you set the correct proxy ARP and NAT rules.

This seems to be the way to cause least impact on your partners and VPN clients.

The only affected services would be site-to-site VPNs, if you have any, which will have to move from A.B.C.1 to A.B.C.2, but I think it is better to make changes to site-to-site than client-to-site, specially if you don't have a DNS for that.

So:

No impact for published pages

No impact for VPN clients

Easy to fix impact on site-to-site VPNs.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    In-Person

    Tue 25 Mar 2025 @ 09:00 AM (EDT)

    Canada In-Person Cloud Security with Hands-On CloudGuard Workshops!
    In-Person

    Tue 25 Mar 2025 @ 12:00 PM (MDT)

    Salt Lake City: CPX 2025 Recap
    In-Person

    Tue 08 Apr 2025 @ 12:00 PM (MDT)

    Denver: CPX 2025 Recap
    CheckMates Events
    Top