This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
marksweaver
Explorer
‎2021-06-16 01:37 AM

VPN routing issue

Hi,

 

I wonder if anybody could shed some light on this. I am stumped.

Brief overview, checkpoint gateway (R77.30 Gaia) in a DC routing traffic from inbound policy based vpn out of route based vpn to AWS. We have several of these all working fine. This one involves NAT, none of the working vpns are doing NAT.

Connection to a web server in AWS works from Endpoint connect using the "real" ip of the server.

SmartView Tracker shows vpn routing

Fw monitor shows my client connection to aws host.

 o shows vpnt15 which is the tunnel interface to aws eth4 is the internet interface.

O shows eth4 - this is correct and works with this connection and other external vpns routing to aws

 

[vs_0][fw_0] eth4:i[52]: 172.21.254.52 -> 172.29.146.13 (TCP) len=52 id=49031
TCP: 57971 -> 80 .S.... seq=1ef280d9 ack=00000000
[vs_0][fw_0] eth4:I[52]: 172.21.254.52 -> 172.29.146.13 (TCP) len=52 id=49031
TCP: 57971 -> 80 .S.... seq=1ef280d9 ack=00000000
[vs_0][fw_0] vpnt15:o[52]: 172.21.254.52 -> 172.29.146.13 (TCP) len=52 id=49031
TCP: 57971 -> 80 .S.... seq=1ef280d9 ack=00000000
[vs_0][fw_0] eth4:O[52]: 172.21.254.52 -> 172.29.146.13 (TCP) len=52 id=49031
TCP: 57971 -> 80 .S.... seq=1ef280d9 ack=00000000

 

Fw Monitor below shows connection from the customer end to nat address which is translated on checkpoint to real destination address. Source address remains as original.

SmartView Tracker shows Decrypt and nat translation by the configured by the nat rule. Not vpn routing.

Note - o shows vpnt15 but O also shows vpnt15 - traffic does not arrive at AWS (verified by aws flow log)

[vs_0][fw_0] eth4:i[72]: 172.30.21.144 -> 10.150.194.16 (TCP) len=72 id=17563
TCP: 40203 -> 80 .S.... seq=c909e140 ack=00000000
[vs_0][fw_0] eth4:I[72]: 172.30.21.144 -> 172.29.146.13 (TCP) len=72 id=5445
TCP: 40439 -> 80 .S.... seq=03d3dd1b ack=00000000
[vs_0][fw_0] vpnt15:o[72]: 172.30.21.144 -> 172.29.146.13 (TCP) len=72 id=5445
TCP: 40439 -> 80 .S.... seq=03d3dd1b ack=00000000
[vs_0][fw_0] vpnt15:O[72]: 172.30.21.144 -> 172.29.146.13 (TCP) len=72 id=5445

I have added the subnet being used for nat translations to the encryption domain on checkpoint and the access rule allows traffic from the customer to both the nat address and the real address. Initially i had only the nat address but added the real one to see if it made any difference. It did not.

VPN column is set to any and disable nat inside vp community is not ticked.

The nat subnet is not in use anywhere else.

The aws host is behind an nlb - there is no security group on the nlb so all traffic is allowed.

AWS route tables have been updated with customer networks.

 

I can provide more information if needed.

 

Any suggestions would be appreciated.

 

Regards

Mark 

0 Kudos
1 Reply
marksweaver
Explorer
‎2021-06-17 01:29 AM

To add to this, due to the connectivity issue needing to be resolved yesterday, I routed inbound traffic to a HA Pair of Physical LB's in our data centre which now front end the traffic in to AWS.

This solution works fine but would like this to be a temporary solution as the LB's are old and are scheduled for decom in the medium term (they were front ending for only two remaining systems that are due for migration to AWS).

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events