Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
skandshus
Advisor
Advisor
Jump to solution

Site-2-site access to Remote external interface dropped

Hello everyone..

I just deployed a site-2-site connection today.. but I am seeing an issue that I haven’t experienced with other vendor.

so site A has services exposed on the wan interface at port 7040.

If I sit at my computer from site 2 and try to access site a on the external wan interface:7040 everything works.

as soon as I establish the site-2-site connection I am no longer able to access site a at the external wan interface at port :7040

i can see logging takes the traffic and puts it into the tunnel.. maybe because the peering gateway is the same external interface ip as where the server on port 7040 is located behind ..though after the site-2-site it can be accessed on the internal ip. But for some reason the vendor at site a wants to keep the access available on the external interface 

 

 

so site A IP address at port 7040 is working without site-2-site active

after setting up site-2-site vpn there is no longer access at site A IP address at port 7040 because the local gateway sends the traffic into the tunnel..

how do I avoid that from happening?

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
14 Replies
the_rock
Legend
Legend

Just as a basic check, did you run capture on the firewall on that port when going through the tunnel to see whats happening with the traffic? How about zdebug drop command? I think those may give some clues...

0 Kudos
skandshus
Advisor
Advisor

Firewall sees the traffic and encrypts it and sends it to the tunnel.. I suspect it does it because the peering gateway is the same address as when I try to access it via the ip:7040 and because the ip is also the peering address is sends the traffic into the tunnel.. which i don’t want. I only want the remote encryption domain and the local encryption domain to have traffic in the tunnel. But for some reason traffic destined to the gateway on the external interface (on the remote site) is also sent to the tunnel.

and I’ve seen this on multiple site-2-site setup so apparently it’s not a “bug” but by design.. I just don’t see the purpose or how to work around it..

 

0 Kudos
the_rock
Legend
Legend

I am pretty sure its because it sees it in vpn domain, more than likely...you can try below, I have a feeling it would help.

 

https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eve...

0 Kudos
skandshus
Advisor
Advisor

I believe you are correct as it’s set as the gateway in the vpn community. But I was hoping there was a workaround for letting traffic destined to the remote external interface to still be allowed..  ideally I can’t be the only one having  experienced this before 🙂

the_rock
Legend
Legend

I will let @PhoneBoy confirm that, but Im not aware of an easy workaround, sorry.

0 Kudos
PhoneBoy
Admin
Admin
skandshus
Advisor
Advisor

Okay so that’s the way to do it?

do you guys have experience in this so this is how “people fix it”??

is there no other way than the cli way?

0 Kudos
PhoneBoy
Admin
Admin

The issue is the gateway is always included in the encryption domain. 
This has been the case since the earliest days of the product.
The fix is as described in the SK and there are a few threads on the community about it.

skandshus
Advisor
Advisor

Apparently I havent been able to find the right search words to hit other results 🙂

0 Kudos
the_rock
Legend
Legend

Trust me, phoneboy is 100% correct. If anyone knows CP products, its him. 

0 Kudos
thevince
Explorer

If port 7040 is only used on public IP of the gateway (and doesn't have to be used with another internal IP accessed from the VPN), as an alternative to SK solution, you can exclude the service in the 'Excluded Services'  tab in the VPN community.

0 Kudos
the_rock
Legend
Legend

Correct, but thats just for the service, not the actual IP address though.

0 Kudos
skandshus
Advisor
Advisor

In the case of having the gateway automatically included in the encryption domain

then it guess if i matched 2 Checkpoint gateway's manged by the same smartconsole and setup a site-2-site vpn then both gateways at each end would be included, hence i should not loose access to the remote wan interface?

 

i just tested, and i still lost access to the remote wan interface.. if i drop the site-2-site then i regain access to the wan interface

0 Kudos
the_rock
Legend
Legend

I would run some captures to better understand as to why its being dropped.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events