This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Carlos
Participant
‎2022-03-15 04:43 PM
Jump to solution

VPN Established but incoming traffic is rejected

Hi team,

I have a VPN set up between a CHECKPOINT R80.40 and a CISCO ASA Version 9.16(1)

and I can't have traffic to go from one side to the other successfully as I see traffic being blocked at checkpoints side.

The tunnel is up...
This is what I get on the logs

This is from checkpoint to ASA

Checkpoint to ASA.png

This is from the ASA to the checkpoint

ASA to CheckPoint.png

 

 

 

 

 

 

0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend
‎2022-03-18 08:51 AM
In response to Carlos
Jump to solution

Yes, thats where you would do it. So, just to be sure, what I would do is this...set spoofing to detect on internal interface and also add external IP of the Cisco into option on external interface "dont check packets from", push policy and test.

You can also refer to below links for the reference:

https://community.checkpoint.com/t5/Cloud-Network-Security/Local-interface-address-spoofing/td-p/150...

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Andy

View solution in original post

0 Kudos
12 Replies
PhoneBoy
Admin
Admin
‎2022-03-15 09:13 PM
Jump to solution

Looks like the remote end isn't encrypting traffic to us.
I'd check the configuration on the ASA side.

0 Kudos
Carlos
Participant
‎2022-03-17 05:32 AM
In response to PhoneBoy
Jump to solution

Hi PhoneBoy,

That cannot be the case since I see that the ASA is encrypting traffic but I can't see encrypted replies from the checkpoint.

Please check the attached image which is a print screen on the ASA.
I'm have access to both devices by the way.

 

 

Preview file
37 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2022-03-17 06:03 AM
In response to Carlos
Jump to solution

There’s not enough information being shown in the log screenshots you’ve provided.
Please show a full log card for one of the drops.
Also, we’ll need to see what the precise rulebase in question is.

0 Kudos
Carlos
Participant
‎2022-03-17 07:53 AM
In response to PhoneBoy
Jump to solution

Hi PhoneBoy,

As you can see on the images the first one is the rule allowing bidirectioanl traffic.  The second one is traffic from checkpoint side to ASA. And the third one traffic from ASA to CheckPoint.
I don't know what you mean by: precise rulebase in question is.

Regras.PNGAs you can FROM checkpoint to ASA.PNGASA TO CHECKPOINT.PNG

 

0 Kudos
RS_Daniel
Advisor
‎2022-03-17 10:45 AM
In response to Carlos
Jump to solution

Hello,

Double click on one of the drop logs (ASA to CheckPoint), go to matching rules tab and check which rule is being applied. According to the screenshots i only can imagine network 192.168.52.0/X is not properly configured on your AUPEC_NET_52 or MINFIN_AUPEC_NET object, the one that is supposed to be the remote encryption domain. Also check drop reason on the log card.

Regards

0 Kudos
Carlos
Participant
‎2022-03-17 12:14 PM
In response to RS_Daniel
Jump to solution

Hi RS_Daniel,

Please see the image below.

It does not say which rule dropped it.

 

DROP.PNG

 

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2022-03-17 12:32 PM
In response to Carlos
Jump to solution

Spoofing drop, probably caused by defining the entire 192.168.0.0/12 supernet on the topology of your internal interface which is a common mistake.  Exclude 192.168.52.0/24 from the topology of your external interface (bond0.10) on the firewall/cluster object and it should start working.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Carlos
Participant
‎2022-03-17 03:32 PM
In response to Timothy_Hall
Jump to solution

Hi Timothy,

Is the exclusion done as in the image below? If so, I have done it and it still not working. Sorry for my ignorance as I'm new to checkpoint and this is my first time setting up a VPN tunnel on checkpoint gateway.

Topology.png

 

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2022-03-18 08:37 AM
In response to Carlos
Jump to solution

Appears to be a routing problem as you have "Calculate topology automatically based on routing" set.  Uncheck that and properly define External/Internal & the correct topology manually on all your interfaces.  This is probably your issue.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
the_rock
Legend
Legend
‎2022-03-18 08:51 AM
In response to Carlos
Jump to solution

Yes, thats where you would do it. So, just to be sure, what I would do is this...set spoofing to detect on internal interface and also add external IP of the Cisco into option on external interface "dont check packets from", push policy and test.

You can also refer to below links for the reference:

https://community.checkpoint.com/t5/Cloud-Network-Security/Local-interface-address-spoofing/td-p/150...

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Andy

0 Kudos
Carlos
Participant
‎2022-03-19 11:05 AM
In response to the_rock
Jump to solution

Thanks every one it's working now. The issue was the anti-spoofing. 

the_rock
Legend
Legend
‎2022-03-20 05:54 AM
In response to Carlos
Jump to solution

Glad we could help!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events