- CheckMates
- :
- Products
- :
- Quantum
- :
- Remote Access VPN
- :
- Re: Remote Access Link Selection - Staticaly Nated...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Remote Access Link Selection - Staticaly Nated IP
Hi,
Need suggestion on below
The customer has bought a range of IP Addresses from ISP, he wants to use one of the IP Addresses for checkpoint remote access VPN.
I believe we can use that IP Address in Statically Nat IP in link selection ( attached image).
Can anybody suggest what configuration is required from a policy perspective?
Regards
Karan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Beyond this configuration in Link Selection, you should not need to do anything unusual to accept the traffic.
It will be allowed by implied rules.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply,
i thought so as well, but does not connect and goes through the clean up rule.
I have to create access policy rule to allo vpn for that IP isn't ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not necessarily that IP, but object itself. So, you can make bi-directional rule for subnets involved (local and remote) and then under vpn column, just select that community, services you need and accept. If traffic fails on clean up rule, there is no any doubt that rule does not exist in the policy to allow it. Unless, the exception could be if you have layers, then it could be catching parent layered rule and then being dropped on explicit layer clean up rule, rather than implicit one, which would always be last rule in the rulebase.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As phoneboy said, config is fine, but as far as policy, just make sure that VPN traffic is allowed as usual, but other than that, you should be good to go.