- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hi All,
Running R80.40 and have a question regarding IP routing through a site-to-site VPN. My Org has a private fiber connection to Company A, with one hop in between. Company B and my org are standing up a new site-to-site VPN. Company B needs access to data in Company A, using My Org as a connecting point. CompA will not allow CompB to directly connect to them via VPN and CompA requires CompB to jump through My Org first. This is atypical for us and unfamiliar with how this may work.
Question: How can the VPN between My Org and CompB be set up to allow CompB access to the subnets at CompA? My confusion is on my side of the VPN Domain and routing pass through.
Any ideas or suggestions would be appreciated.
Rory
On your side you can do a Star community, with yourself as center and CompA and B as satellites. Make sure to select the option route through center and to create the policies to allow traffic.
Assuming CompB is a Check Point not managed by your SMS, on that SMS you will have the encryption domain for the My Org firewall to include CompA.
Thanks for the reply. CompA and MyOrg are not connected via Site to Site VPN....just a secured fiber link between us. I should have clarified better in the initial posting. Unsure if the Star community as you described will still work in that case? Could I still include the CompA subnets in my local encryption domain even though I don't provide those subnets?
I may be overthinking this design, but it's throwing me for a loop.
Not necessary to change the community to Star, but I'm sure you will need to have CompA subnets in your encryption domain. If not, your gateway will drop encrypted packets destined to CompA coming through the CompB tunnel (you'll get a log entry saying encrypted packet should be clear text).
You will need to double-check that your firewall routing is correct, also the CompA network will need to route return traffic via your gateway. Anti-Spoofing on the internal CP interface might also drop return traffic, so keep an eye on that.
I'll give that a try, thank you for the suggestions. I report back our findings once we've had a chance to work with the other parties involved.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY