This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Arthurs
Explorer
‎2021-01-13 06:54 AM
Jump to solution

Site to Site VPN no SSH access to servers

Hello,

I'm new to checkpoint and currently I'm confused with one case.

While I'm connected to the Site A network behind Site A Gateway which is connected via Site-to-Site VPN to B Gateway I'm unable to access resources located in B network via SSH.

But resources is still reachable via https, http, icmp.
Also we have IPsec VPN configuration with Network C, and for remote VPN clients everything is working.

What I can see in logs that source: My PC, dst: Linux server, action: accept, origin: VPN Gateway, so from here everything looks just fine but in same time Linux server not receiving any connections to it.

In same time connection via RDP to Windows servers are working.

VPN Community topology is Star, and SSH is in Excluded Services.

Telnet from PC showing that port 22 is closed.

GW versions R80.30


If any other info is needed please let me know.

 

Br, Arthurs

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2021-01-13 07:49 AM
Jump to solution

If SSH is listed in Excluded Services and it’s not working, maybe you need to remove it from Excluded Services?
Or the remote site needs to update their configuration so it’s added as an Excluded Service?

View solution in original post

0 Kudos
8 Replies
Arthurs
Explorer
‎2021-01-13 07:01 AM
Jump to solution

I've checked security policy rules and all traffic and services are allowed from Network A to Network B, also I've tried to create rule for testing purposes allowing SSH service from my PC to Linux server, and again in logs I could see that these connection is accepted and correct policy number.

Regarding server firewall is disabled and it's listening for port 22 from all networks. 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-01-13 07:49 AM
Jump to solution

If SSH is listed in Excluded Services and it’s not working, maybe you need to remove it from Excluded Services?
Or the remote site needs to update their configuration so it’s added as an Excluded Service?

0 Kudos
Arthurs
Explorer
‎2021-01-13 10:27 PM
In response to PhoneBoy
Jump to solution

I will try to remove it from Excluded later today and see if it will work.

 

What do you mean by "Or the remote site needs to update their configuration so it’s added as an Excluded Service?" The "Remote site", lets call it network B and my site Network A are connected to each other via IPsec Tunnel and using one VPN community where this setting are set, is there any other place where this configuration should be set for Network B? Both Firewalls in these networks are centrally managed.  

0 Kudos
PhoneBoy
Admin
Admin
‎2021-01-14 08:45 PM
In response to Arthurs
Jump to solution

Or the remote site needs to update their configuration so it’s added as an Excluded Service” assumed the site was managed/controlled by a third party.

0 Kudos
Arthurs
Explorer
‎2021-01-13 10:32 PM
In response to PhoneBoy
Jump to solution

I will try to remove it from Excluded Services later today and update here about results.

What do you mean by "Or the remote site needs to update their configuration so it’s added as an Excluded Service?"

Remote site is Network B, my site is Network A, they are both connected via IPsec tunnel which is a part of VPN community where this setting are set, is there any other place where I should change this configuration for Network B?

Both Firewalls are centrally managed. 
I'm connecting to server private IP address, not to public gateway IP.

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2021-01-14 01:14 PM
In response to Arthurs
Jump to solution

There are a lot of ways to use Check Point VPN-1 and a lot of ways to use SSH. Depending on what you want to do with either, you may need to exclude SSH, or define things more granularly with user.def.

For example, if you control both sites, you may want to exclude SSH so you can still SSH from one site to the firewall at the other site for troubleshooting even if the VPN is broken.

0 Kudos
Arthurs
Explorer
‎2021-01-13 11:55 PM
In response to PhoneBoy
Jump to solution

Thanks, I have removed SSH from Excluded Services and now connection is working.

I'm still not sure about what did you mean "remote site needs update their configuration" the remote site and my location are both connected via IPsec tunnel and are part of same VPN community, so they share Excluded Services list, or I understand this wrong?P.S. I have replied 2 times these morning, but replies didn't appear, I'm not sure is it some kind pre-post checks happening, but in case there will be 3 replies sorry for that.

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2021-01-13 07:55 AM
Jump to solution

If SSH is in Excluded Services ... then it will be excluded from the VPN and be sent in the clear. That's what that setting tells the firewall to do. If the destination is private, you won't be able to reach it over the Internet without using the VPN.

Why is SSH in the Excluded Services for the VPN? There may be a better way to meet the requirement.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events