This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Moudar
Advisor
‎2024-05-07 07:33 AM

Site to Site VPN gateway management

Hi

I got a lab of cluster of 2 gateways. Now I want to add a branch office to the same SMS that manages the cluster.

The branch office has its own external IP for example 203.0.114.100 and main office 203.0.113.1

SMS server is 10.1.1.101 and its gateway is 10.1.1.1 

How should NAT rules look like on both sides so that SMS 10.1.1.101 can have communication with the branch office (management traffic I think!)?

What I did is disable NAT inside VPN and add a manual NAT rule to prevent NAT on all networks that uses the VPN:

nat-rule.JPG 

To be able to add the branch office to Smartconsole I had to add some static routes to my lab router to get connection with branch office

(this router represents the internet, so no static routes are possible, but only external IPs)

directly when I remove these routes I loose connection with branch office (Smartconsole loose connection)

lost-contact.JPG

I have created some VTIs between the cluster and the branch office and these can ping each other without the need of the static routes on the router, but still SmartConsole says B-GW lost connection!

Any Ideas!

0 Kudos
21 Replies
the_rock
Legend
Legend
‎2024-05-07 09:05 AM

Do you have simple diagram of this? 

Andy

0 Kudos
Moudar
Advisor
‎2024-05-07 11:18 PM
In response to the_rock

topology.JPG

0 Kudos
Moudar
Advisor
‎2024-05-07 11:23 PM
In response to Moudar

Router configuration:

 

Test-router#show ip int b
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         192.168.198.131 YES DHCP   up                    up
GigabitEthernet0/1         203.0.113.254   YES NVRAM  up                    up
GigabitEthernet0/2         203.0.114.254   YES NVRAM  up                    up

Gateway of last resort is 192.168.198.2 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 192.168.198.2
      192.168.198.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.198.0/24 is directly connected, GigabitEthernet0/0
L        192.168.198.131/32 is directly connected, GigabitEthernet0/0
      203.0.113.0/24 is variably subnetted, 2 subnets, 2 masks
C        203.0.113.0/24 is directly connected, GigabitEthernet0/1
L        203.0.113.254/32 is directly connected, GigabitEthernet0/1
      203.0.114.0/24 is variably subnetted, 2 subnets, 2 masks
C        203.0.114.0/24 is directly connected, GigabitEthernet0/2
L        203.0.114.254/32 is directly connected, GigabitEthernet0/2

 

My understanding is that if I would count this router as if it was the Internet, then no more configuration should be added!

203.0.113.254 is the gateway of the cluster

203.0.114.254 is the gateway of B-GW

0 Kudos
emmap
Employee
Employee
‎2024-05-07 11:37 PM
In response to Moudar

Connections between gateways and management servers are excluded from VPNs, because the traffic is already encrypted and because you need the connection between gateway and management to be up before you can install the policy that would bring the VPN up. So you need to edit the SMS object and add a static NAT on there (installed on Cluster A) so that the SMS has a public IP that the branch gateway can communicate to. 

You can change this, but it's not the best idea because if the VPN goes down and you need to do a policy install on the branch gateway to fix it, you're in trouble because there's no comms to the gateway.

See: https://support.checkpoint.com/results/sk/sk105719

And: https://support.checkpoint.com/results/sk/sk100583

 

Moudar
Advisor
‎2024-05-08 01:02 AM
In response to emmap

Thank you emmap!

What about this:

sms-nat.JPG

Should I choose that also? why and why not?

0 Kudos
emmap
Employee
Employee
‎2024-05-08 01:13 AM
In response to Moudar

Yes tick that. https://support.checkpoint.com/results/sk/sk66381

0 Kudos
Moudar
Advisor
‎2024-05-08 01:24 AM
In response to emmap

 

sms-nat1.JPG

What should I do here? 

0 Kudos
emmap
Employee
Employee
‎2024-05-08 01:32 AM
In response to Moudar

Select the cluster that the SMS sits behind where it says 'Install on Gateway'.

0 Kudos
Moudar
Advisor
‎2024-05-08 01:50 AM
In response to emmap

still getting this when trying to install policy on B-GW

18191.JPG

tried fw unloadlocal on B-GW but got same result!

0 Kudos
emmap
Employee
Employee
‎2024-05-08 01:54 AM
In response to Moudar

It's a network connectivity error, troubleshoot on the network hops along the way.

Moudar
Advisor
‎2024-05-08 05:07 AM
In response to emmap

When trying to ping the SMS NAT ip address 203.0.113.101 from the gateway i get this:

ping 203.0.113.101
PING 203.0.113.101 (203.0.113.101) 56(84) bytes of data.
From 203.0.113.3 icmp_seq=1 Destination Host Unreachable
From 203.0.113.3 icmp_seq=2 Destination Host Unreachable
From 203.0.113.3 icmp_seq=3 Destination Host Unreachable
From 203.0.113.3 icmp_seq=4 Destination Host Unreachable
From 203.0.113.3 icmp_seq=5 Destination Host Unreachable
From 203.0.113.3 icmp_seq=6 Destination Host Unreachable
From 203.0.113.3 icmp_seq=7 Destination Host Unreachable
From 203.0.113.3 icmp_seq=8 Destination Host Unreachable

is that a normal reaction? 

0 Kudos
the_rock
Legend
Legend
‎2024-05-08 05:14 AM
In response to Moudar

That would usually tell you there is no route to the destination. Do ip r g 203.0.113.101

Moudar
Advisor
‎2024-05-08 05:16 AM
In response to the_rock

10.1.1.101 is the SMS which is published out using static NAT and 203.0.113.101, as you can see above

the gateway has interface at the same subnet

0 Kudos
Moudar
Advisor
‎2024-05-08 05:19 AM
In response to the_rock

I don't really understand!

[Expert@B-GW:0]#  ip r g 203.0.113.101
203.0.113.101 via 203.0.114.254 dev eth1 src 203.0.114.100
0 Kudos
Moudar
Advisor
‎2024-05-08 06:28 AM
In response to Moudar

that looks right, but why still cannot ping?

0 Kudos
the_rock
Legend
Legend
‎2024-05-08 06:33 AM
In response to Moudar

Is it accessible by another service? Just ping fails?

0 Kudos
Moudar
Advisor
‎2024-05-08 06:54 AM
In response to the_rock

Maybe I see the problem!

If you look at the topology you can see SMS interafec eth1 connected directly to the cloud0 ( EVE-management ) That interface is there only so that I can run Smartconsole directly on my host, because I don't have enough resources to run a Windows machine on EVE.

When I ping 203.0.113.101 from B-GW I can see an "Accept log":

sms-interface.JPG

the log shows that the IP address of eth1 being NATed and not eth0 which have 10.1.1.101!

Why is that happening, and how to make the NAT rule apply on eth0 instead?

sms-ip.JPG

 

0 Kudos
the_rock
Legend
Legend
‎2024-05-08 07:18 AM
In response to Moudar

What do you have configured in anti spoofing group? As per below:

Andy

 

Screenshot_1.png

0 Kudos
Moudar
Advisor
‎2024-05-08 07:21 AM
In response to the_rock

anti6.JPG

0 Kudos
Moudar
Advisor
‎2024-05-08 05:14 AM
In response to Moudar

When I do a traceroute from SMS to B-GW I get this:

 traceroute 203.0.114.100
traceroute to 203.0.114.100 (203.0.114.100), 30 hops max, 40 byte packets
 1   (10.1.1.3)  23.251 ms  25.409 ms  32.807 ms
 2  * * *
 3  * * *

10.1.1.3 is the gateway interface connected to SMS

The the cluster is 10.1.1.1 should 10.1.1.1 answer or 10.1.1.3?

The cluster has other interface 203.0.113.1 which points to the router 203.0.113.254 

The router has other interface 203.0.114.254. 

But as you can see the trace does not get there

even if i run this trace:

traceroute 203.0.113.254
traceroute to 203.0.113.254 (203.0.113.254), 30 hops max, 40 byte packets
 1   (10.1.1.3)  15.777 ms  24.790 ms  25.378 ms
 2  * * *
 3  * * *

So SMS cannot reach the router, the gateway could. What should I check more?

The policy is any any any accept so no problem there!

0 Kudos
Amir_Senn
Employee
Employee
‎2024-05-08 08:12 AM
In response to Moudar

Hi,

Checkbox in the NAT tab adds the static NAT IP to a list of IPs in the inline rules that are allowed access (for example the management IP as appears in SC). If you installed policy without it you will lose connectivity unless you have explicit access control rule that allows it. If you got here - there's need to do fw unloadlocal on that GW and re-install policy (full, not accelerated path) to regain connectivity.

This will not 100% solve your issue. In some scenarios when using this configuration private IP GWs might use public IP or public IP GWs will try private IP. There's a way to force one or the other. Please follow this SK:

https://support.checkpoint.com/results/sk/sk171055

Kind regards, Amir Senn

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events