Access to Dashboard / Tracker via VPN

[futureechos]

I'm having a problem remotely managing my firewalls externally via a VPN.

All works fine when onsite, when coming in via VPN I get the 'cannot connect, make sure you are a GUI client.' error

- I have a fixed IP when I VPN in, this is a GUI client.
- I can telnet to the firewall manager on port 18190 when connected via VPN, but still it refuses.
- Tracker shows my VPN fixed IP allowed access on port 18190

Any ideas? Any logs I can look at on the fwm when in expert mode?

thanks.
FE

[Thorpuse]

Guess 1 would be NAT - make sure your IP address isn't being NATted.

Guess 2 would be implied rules (you are logging implied rules, right?). Check in your logs to see if your port 18190 traffic is being blocked because it's being sent in clear and the other side is expecting encrypted (or vice versa).

The solution I've always used for this is setting up an SSH session to the SmartCenter and using SSH port forawarding. Works like a charm!

[futureechos]

Quote:

Originally Posted by Thorpuse

Guess 1 would be NAT - make sure your IP address isn't being NATted.

Guess 2 would be implied rules (you are logging implied rules, right?). Check in your logs to see if your port 18190 traffic is being blocked because it's being sent in clear and the other side is expecting encrypted (or vice versa).

The solution I've always used for this is setting up an SSH session to the SmartCenter and using SSH port forawarding. Works like a charm!

Thanks for the reply.

Good ideas!

The VPN is held on externally to the checkpoint ones, so its coming in clear after decryption
It's not NATing, I can see 18190 traffic going through.

Tunnelling over ssh, that's a cool idea. I'll have to try that.

[mcnallym]

Also remember that officially Check Point do not support SmartCenter Access over a SecureClient VPN.

Either ensure that the SMARTCenter is NAtted to a public address and connect to that from a specific host, or make a connection as suggested already.

[futureechos]

Quote:

Originally Posted by mcnallym

Also remember that officially Check Point do not support SmartCenter Access over a SecureClient VPN.

Either ensure that the SMARTCenter is NAtted to a public address and connect to that from a specific host, or make a connection as suggested already.

OK, thanks for the info.