Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
skandshus
Advisor
Advisor

Strange issue with routing/nat on site-2-site

Hi everyone.. 

I am hosting a service for a customer on a public accessible IP address…  i have then set up a site-2-site vpn for backup purposes because the customer also has a local server that needs backup.

 

the setup is.

local customer subnet192.168.80.0/24 & 192.168.50.0/24 (with client that needs to access navision service at my public ip.

 

the customer is accessing an RDP service using dns name navision.it-connect.nu

it resolves to my external ip 194.182.21.148

on the customer site I have a 1570 appliance

and In my hosting center I’m running checkpoint open server.

the local subnet for the navision server is 10.10.114.2

I have both firewall and nat rule in place allowing remote access.. everything is fine..

 

But I need to establish a site to site vpn from MY local subnet at the hosting center at 10.10.150.0/24 because I need to take a backup of a server at the customer local site.. that server is located at 192.168.80.0/24

 

i can establish the site to site tunnel fine and everything is working. But when I do that, then it is no longer possible for the customer at their local subnet 192.168.0.0/24 & 192.168.50.0/24 to access the navision server any longer, even though both the navision subnet AND the customers local subnet has not been defined in the encryption domain(which is on purpose)..


can anybody shed some light on what is happening ? I have another customer where this is not an issue… I even tried to do a copy/paste of the vpn community setup to rule out error, but it still blocks the remote access.. 

 

 

so I’m short.. vpn tunnel connects successfully allowing my backup server to reach customer subnet and do the backup but it breaks the customers access to the navision server when they try to reach it using the dns name/wan up address..

0 Kudos
6 Replies
G_W_Albrecht
Legend
Legend

Is your external ip 194.182.21.148 included in the encryption domain ?

CCSE CCTE CCSM SMB Specialist
0 Kudos
skandshus
Advisor
Advisor

No the external Ip is not included… on purpose though.. wouldn’t that cause issues?

0 Kudos
G_W_Albrecht
Legend
Legend

As the clients try to connect to that IP, it would cause issues, so i have asked 😎 Are the clients NATed behind the GW IP ?

CCSE CCTE CCSM SMB Specialist
0 Kudos
skandshus
Advisor
Advisor

Both subnet on each side is behind hide nat on the gateway… 

 

from my perspective I would expect the subnets to only be routed, if a host would try to access navision.it-connect:8787

i would expect them to hit the wan interface and NOT for some reason go through the tunnel.. even though the IP address /gateway is also used as the peer gateway.. and I have no idea how to “explain” it regarding a TAC and making sure they understood 100% what the problem is..

 

 

0 Kudos
G_W_Albrecht
Legend
Legend

Try to exclude only Microsoft Remote Desktop on TCP port 3389 from your VPN Community.

CCSE CCTE CCSM SMB Specialist
0 Kudos
skandshus
Advisor
Advisor

i didnt even know it possible to "exclude" that.. how would you go around doing that?

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events