This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
skandshus
Advisor
Advisor
‎2021-09-06 08:06 AM
Jump to solution

Site-2-site access to Remote external interface dropped

Hello everyone..

I just deployed a site-2-site connection today.. but I am seeing an issue that I haven’t experienced with other vendor.

so site A has services exposed on the wan interface at port 7040.

If I sit at my computer from site 2 and try to access site a on the external wan interface:7040 everything works.

as soon as I establish the site-2-site connection I am no longer able to access site a at the external wan interface at port :7040

i can see logging takes the traffic and puts it into the tunnel.. maybe because the peering gateway is the same external interface ip as where the server on port 7040 is located behind ..though after the site-2-site it can be accessed on the internal ip. But for some reason the vendor at site a wants to keep the access available on the external interface 

 

 

so site A IP address at port 7040 is working without site-2-site active

after setting up site-2-site vpn there is no longer access at site A IP address at port 7040 because the local gateway sends the traffic into the tunnel..

how do I avoid that from happening?

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2021-09-06 09:46 AM
Jump to solution

Scenario 3 here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Basically the same thing @the_rock highlighted previously.

View solution in original post

14 Replies
the_rock
Legend
Legend
‎2021-09-06 08:17 AM
Jump to solution

Just as a basic check, did you run capture on the firewall on that port when going through the tunnel to see whats happening with the traffic? How about zdebug drop command? I think those may give some clues...

0 Kudos
skandshus
Advisor
Advisor
‎2021-09-06 08:25 AM
In response to the_rock
Jump to solution

Firewall sees the traffic and encrypts it and sends it to the tunnel.. I suspect it does it because the peering gateway is the same address as when I try to access it via the ip:7040 and because the ip is also the peering address is sends the traffic into the tunnel.. which i don’t want. I only want the remote encryption domain and the local encryption domain to have traffic in the tunnel. But for some reason traffic destined to the gateway on the external interface (on the remote site) is also sent to the tunnel.

and I’ve seen this on multiple site-2-site setup so apparently it’s not a “bug” but by design.. I just don’t see the purpose or how to work around it..

 

0 Kudos
the_rock
Legend
Legend
‎2021-09-06 08:35 AM
In response to skandshus
Jump to solution

I am pretty sure its because it sees it in vpn domain, more than likely...you can try below, I have a feeling it would help.

 

https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eve...

0 Kudos
skandshus
Advisor
Advisor
‎2021-09-06 08:39 AM
In response to the_rock
Jump to solution

I believe you are correct as it’s set as the gateway in the vpn community. But I was hoping there was a workaround for letting traffic destined to the remote external interface to still be allowed..  ideally I can’t be the only one having  experienced this before 🙂

the_rock
Legend
Legend
‎2021-09-06 08:45 AM
In response to skandshus
Jump to solution

I will let @PhoneBoy confirm that, but Im not aware of an easy workaround, sorry.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-09-06 09:46 AM
Jump to solution

Scenario 3 here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Basically the same thing @the_rock highlighted previously.

skandshus
Advisor
Advisor
‎2021-09-06 09:52 AM
In response to PhoneBoy
Jump to solution

Okay so that’s the way to do it?

do you guys have experience in this so this is how “people fix it”??

is there no other way than the cli way?

0 Kudos
PhoneBoy
Admin
Admin
‎2021-09-06 10:02 AM
In response to skandshus
Jump to solution

The issue is the gateway is always included in the encryption domain. 
This has been the case since the earliest days of the product.
The fix is as described in the SK and there are a few threads on the community about it.

skandshus
Advisor
Advisor
‎2021-09-06 10:08 AM
In response to PhoneBoy
Jump to solution

Apparently I havent been able to find the right search words to hit other results 🙂

0 Kudos
the_rock
Legend
Legend
‎2021-09-06 10:16 AM
In response to skandshus
Jump to solution

Trust me, phoneboy is 100% correct. If anyone knows CP products, its him. 

0 Kudos
thevince
Explorer
‎2021-09-10 04:28 AM
In response to PhoneBoy
Jump to solution

If port 7040 is only used on public IP of the gateway (and doesn't have to be used with another internal IP accessed from the VPN), as an alternative to SK solution, you can exclude the service in the 'Excluded Services'  tab in the VPN community.

0 Kudos
the_rock
Legend
Legend
‎2021-09-10 09:59 AM
In response to thevince
Jump to solution

Correct, but thats just for the service, not the actual IP address though.

0 Kudos
skandshus
Advisor
Advisor
‎2021-09-15 10:34 AM
In response to PhoneBoy
Jump to solution

In the case of having the gateway automatically included in the encryption domain

then it guess if i matched 2 Checkpoint gateway's manged by the same smartconsole and setup a site-2-site vpn then both gateways at each end would be included, hence i should not loose access to the remote wan interface?

 

i just tested, and i still lost access to the remote wan interface.. if i drop the site-2-site then i regain access to the wan interface

0 Kudos
the_rock
Legend
Legend
‎2021-09-15 11:13 AM
In response to skandshus
Jump to solution

I would run some captures to better understand as to why its being dropped.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events