Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Carlos
Participant
Jump to solution

VPN Established but incoming traffic is rejected

Hi team,

I have a VPN set up between a CHECKPOINT R80.40 and a CISCO ASA Version 9.16(1)

and I can't have traffic to go from one side to the other successfully as I see traffic being blocked at checkpoints side.

The tunnel is up...
This is what I get on the logs

This is from checkpoint to ASA

Checkpoint to ASA.png

This is from the ASA to the checkpoint

ASA to CheckPoint.png

 

 

 

 

 

 

0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend

Yes, thats where you would do it. So, just to be sure, what I would do is this...set spoofing to detect on internal interface and also add external IP of the Cisco into option on external interface "dont check packets from", push policy and test.

You can also refer to below links for the reference:

https://community.checkpoint.com/t5/Cloud-Network-Security/Local-interface-address-spoofing/td-p/150...

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Andy

View solution in original post

0 Kudos
12 Replies
PhoneBoy
Admin
Admin

Looks like the remote end isn't encrypting traffic to us.
I'd check the configuration on the ASA side.

0 Kudos
Carlos
Participant

Hi PhoneBoy,

That cannot be the case since I see that the ASA is encrypting traffic but I can't see encrypted replies from the checkpoint.

Please check the attached image which is a print screen on the ASA.
I'm have access to both devices by the way.

 

 

0 Kudos
PhoneBoy
Admin
Admin

There’s not enough information being shown in the log screenshots you’ve provided.
Please show a full log card for one of the drops.
Also, we’ll need to see what the precise rulebase in question is.

0 Kudos
Carlos
Participant

Hi PhoneBoy,

As you can see on the images the first one is the rule allowing bidirectioanl traffic.  The second one is traffic from checkpoint side to ASA. And the third one traffic from ASA to CheckPoint.
I don't know what you mean by: precise rulebase in question is.

Regras.PNGAs you can FROM checkpoint to ASA.PNGASA TO CHECKPOINT.PNG

 

0 Kudos
RS_Daniel
Advisor

Hello,

Double click on one of the drop logs (ASA to CheckPoint), go to matching rules tab and check which rule is being applied. According to the screenshots i only can imagine network 192.168.52.0/X is not properly configured on your AUPEC_NET_52 or MINFIN_AUPEC_NET object, the one that is supposed to be the remote encryption domain. Also check drop reason on the log card.

Regards

0 Kudos
Carlos
Participant

Hi RS_Daniel,

Please see the image below.

It does not say which rule dropped it.

 

DROP.PNG

 

0 Kudos
Timothy_Hall
Legend Legend
Legend

Spoofing drop, probably caused by defining the entire 192.168.0.0/12 supernet on the topology of your internal interface which is a common mistake.  Exclude 192.168.52.0/24 from the topology of your external interface (bond0.10) on the firewall/cluster object and it should start working.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Carlos
Participant

Hi Timothy,

Is the exclusion done as in the image below? If so, I have done it and it still not working. Sorry for my ignorance as I'm new to checkpoint and this is my first time setting up a VPN tunnel on checkpoint gateway.

Topology.png

 

0 Kudos
Timothy_Hall
Legend Legend
Legend

Appears to be a routing problem as you have "Calculate topology automatically based on routing" set.  Uncheck that and properly define External/Internal & the correct topology manually on all your interfaces.  This is probably your issue.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
the_rock
Legend
Legend

Yes, thats where you would do it. So, just to be sure, what I would do is this...set spoofing to detect on internal interface and also add external IP of the Cisco into option on external interface "dont check packets from", push policy and test.

You can also refer to below links for the reference:

https://community.checkpoint.com/t5/Cloud-Network-Security/Local-interface-address-spoofing/td-p/150...

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Andy

0 Kudos
Carlos
Participant

Thanks every one it's working now. The issue was the anti-spoofing. 

the_rock
Legend
Legend

Glad we could help!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events