This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
00071491
Contributor
‎2022-04-04 08:36 AM

Design and Concept: Acting as a Proxy Organization in VPN Tunnel

Hi All,

Running R80.40 and have a question regarding IP routing through a site-to-site VPN.  My Org has a private fiber connection to Company A, with one hop in between.  Company B and my org are standing up a new site-to-site VPN.  Company B needs access to data in Company A, using My Org as a connecting point.  CompA will not allow CompB to directly connect to them via VPN and CompA requires CompB to jump through My Org first.  This is atypical for us and unfamiliar with how this may work.

Question:  How can the VPN between My Org and CompB be set up to allow CompB access to the subnets at CompA?  My confusion is on my side of the VPN Domain and routing pass through.

Any ideas or suggestions would be appreciated.

Rory

Labels
0 Kudos
4 Replies
Ruan_Kotze
Advisor
‎2022-04-04 11:57 AM

On your side you can do a Star community, with yourself as center and CompA and B as satellites.  Make sure to select the option route through center and to create the policies to allow traffic.

Assuming CompB is a Check Point not managed by your SMS, on that SMS you will have the encryption domain for the My Org firewall to include CompA.

0 Kudos
00071491
Contributor
‎2022-04-04 12:23 PM
In response to Ruan_Kotze

Thanks for the reply.  CompA and MyOrg are not connected via Site to Site VPN....just a secured fiber link between us.  I should have clarified better in the initial posting.  Unsure if the Star community as you described will still work in that case?  Could I still include the CompA subnets in my local encryption domain even though I don't provide those subnets?

I may be overthinking this design, but it's throwing me for a loop.

0 Kudos
Ruan_Kotze
Advisor
‎2022-04-04 01:01 PM
In response to 00071491

Not necessary to change the community to Star, but I'm sure you will need to have CompA subnets in your encryption domain.  If not, your gateway will drop encrypted packets destined to CompA coming through the CompB tunnel (you'll get a log entry saying encrypted packet should be clear text).

You will need to double-check that your firewall routing is correct, also the CompA network will need to route return traffic via your gateway. Anti-Spoofing on the internal CP interface might also drop return traffic, so keep an eye on that.

 

0 Kudos
00071491
Contributor
‎2022-04-05 06:28 AM
In response to Ruan_Kotze

I'll give that a try, thank you for the suggestions.  I report back our findings once we've had a chance to work with the other parties involved.

0 Kudos