CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.

First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E


Results 1 to 3 of 3

Thread: Site To Site Vpn

  1. #1
    Join Date
    Rep Power

    Default Site To Site Vpn

    Hi Team,

    I have Site to Site Vpn between CheckPoint R75.30 Cluster & ASG 525

    Now suppose Public / Private IP of CheckPoint =>
    And Public / Private IP of ASG =>

    Check Point LAN IP Pool =>
    ASG LAN Pool =>

    Now I'm able to Web GUI from (No Hide Nat)
    But I'm Not able to Web GUI form Nat) => => No Nat rule is confugured

    One i add https in the execluded services I'm able to access Web GUI on from but not able to access on from

    Is there any way I can able to access local / live IP at the same time behind the checkpoint gateway

  2. #2
    Join Date
    Rep Power

    Default Re: Site To Site Vpn

    One thing to remember about Check Point VPN in Simplified Mode is that they add the Remote Gateways IP into the Encryption Domain.

    As such as far as the Check Point is concerned then the is part of the encryption domain of the gateway. It will therefore attempt to encrypt traffic to as well as the network.

    By excluding https from the VPN then the https to the is excluded from the VPN and so goes out over the network as regular https rather then being attempted to be encrypted over the VPN. Of course it also stops you connecting via https to the network as well as the https is excluded from the whole VPN tunnel , not to specific IPs.

    sk44014 on the Check Point website knowledgebase explains exactly what to enter into the crypt.def to exclude the external address of the VPN Gateway from encryption domain on R7x This basically tells the Check Point Gateways managed by the Management Server not to encrypt traffic destined for Traffic forming the VPN Tunnel, ie the IKE packets etc are not considered encryption in this case as they are the VPN tunnel itself.

    Depending upon your combination of Gateway and Management Software then you need to simply make sure that you read the correct Management Server and then Gateway combination to find the correct location for the file. You will also need to remember to do this when you upgrade the Management Server and Gateways to ensure that continues to do this exclusion.

  3. #3
    Join Date
    Rep Power

    Default Re: Site To Site Vpn

    Hi Sir,

    Thanks for the response , its working fine

    Now my other issue is that if i have live IP pool and my is static natted to & is static natted to

    I'm facing the same issue that unable to access or 225 behind the checkpoint.

    So can i do the below changes.Like define the whole subnet .

    #define NON_VPN_TRAFFIC_RULES (dst=

    thnks once again
    Last edited by yualme; 2013-08-06 at 05:13.

Similar Threads

  1. Route traffic from Office mode VPN to another network over site-to-site VPN
    By 007me in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 4
    Last Post: 2011-05-20, 13:19
  2. Configruration VPN site to site between Checkpoint NGX and Router Cisco 1861
    By vikjava in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2010-04-28, 09:03
  3. Site to Site VPN not working together with Client to Site?
    By cglebbeek in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2009-12-21, 14:39
  4. VPN Topology missing - Can't enable Enterprise folder for site-to-site VPN
    By hotice_ in forum Check Point UTM-1 Edge Appliances
    Replies: 9
    Last Post: 2008-12-16, 16:25
  5. Site to Site VPN problem between Cisco 1721 & HP router
    By kranti in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2007-03-29, 03:32


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts