CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 9 of 9

Thread: Configure different public IP for Remote Access (S2S already present)

  1. #1
    Join Date
    2015-05-26
    Posts
    34
    Rep Power
    0

    Default Configure different public IP for Remote Access (S2S already present)

    Hi all,

    I need to configure a different public IP for the Remote Access VPN, since we already have a site to site VPN configured but reserved to specific networks.
    Before this I could connect with the remote access client, but now I guess the firewall recognizes our public IP as part of the S2S so it doesn't allow the connection.
    Which are the steps? How should I have to configure the manual NAT for this IP?
    At the customer's site they have a cluster, and I can't use the object as destination for a NAT.

    Thanks

  2. #2
    Join Date
    2015-05-26
    Posts
    34
    Rep Power
    0

    Default Re: Configure different public IP for Remote Access (S2S already present)

    Ok, I'll try to change the question:

    - is it possible to use a natted public IP, not defined as External interface, as target for a remote access VPN?

  3. #3
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,610
    Rep Power
    8

    Default Re: Configure different public IP for Remote Access (S2S already present)

    Quote Originally Posted by Petaloudes View Post
    Ok, I'll try to change the question:

    - is it possible to use a natted public IP, not defined as External interface, as target for a remote access VPN?
    I haven't tried that before. I think you would have to do a bit of hacking but maybe creating a loop interface with said IP on it would work. I think you would need to have a different NAT on each firewall so you could put loops on one line in topology, which i think you're going to need. No idea if that will work.

    that being said can you back up and explain why you can't do ipsec and remote access to the external IP? maybe there is something i'm missing?

  4. #4
    Join Date
    2015-05-26
    Posts
    34
    Rep Power
    0

    Default Re: Configure different public IP for Remote Access (S2S already present)

    Thank you for your reply, I'll try to explain better what happened:

    Original situation:
    I configured a regular Remote Access VPN to allow vpn connections from everywhere, with the mobile client.
    Users within the local vpn group (local users on checkpoint) could access to the customer network (let's say 192.168.1.0/24).
    All working good.

    New situation:
    We needed to configure a S2S VPN between our office and the customer, but restricted to specific networks (let's say 172.16.1.0/24 <> 172.16.5.0/24).
    This is working good.
    But when we have to connect to the customer network (192.168.1.0/24), within our office, using the VPN client, we receive and error.
    I suppose this is caused by the fact we are connecting from the same public IP used by the S2S.

    Maybe there is another way to solve this problem, but I was thinking of using a different public IP (on customer side) dedicated for the Remote Access.
    I've already tried to limit the Remote Access destination network to 192.168.1.0/24, but it's not working.

    The customer has a clusterXL, we have a single gateway.

  5. #5
    Join Date
    2007-06-04
    Posts
    3,267
    Rep Power
    16

    Default Re: Configure different public IP for Remote Access (S2S already present)

    If I understand what is happening is that you were able to Remote Access into YOUR gateway from a Customers location.

    You have now configured a Site 2 Site VPN with the Customer from the Gateway that terminate the Remote Access on.

    Since then cannot Remote Access in.

    This would be correct behaviour.

    Instead of trying to change the Termination IP then what would suggest is

    1.) Have the Customers Gateway NAT traffic destined for the Remote Access IP behind a different IP address. At the moment would believe that they are NATing behind the Cluster IP hence why would expect it to be the Site to Site VPN.
    2.) Have the Customers Gateway exclude traffic destined for YOUR Gateway/Cluster IP from the VPN.

    What should happen then is

    1.) Traffic from the Customers Networks should hit the Customers Gateway.
    2.) Traffic is NATed behind a different IP address and sent over to your Gateway
    3.) Your Gateway does not see the traffic as part of the Site to Site VPN so allows the Remote Access to work

    Whilst isn't something that Check Point TAC supports ( ie Remote Access from a location that have a Site to Site VPN with is not supported ) it does seem to work.

  6. #6
    Join Date
    2015-05-26
    Posts
    34
    Rep Power
    0

    Default Re: Configure different public IP for Remote Access (S2S already present)

    In truth the Remote Access is configured on the customer's gateway (aka cluster), and we were able to connect to their network from everywhere (including from our office).

    Afterwards, we configured the s2s between the customer site and our office, but for new reserved networks of another service.
    We still need to give them remote assistance, connecting to their client LAN, as we did before.

    - if we connect from outside our office, all work.
    - if we try to connect within our office, the VPN client doesn't work.

    The s2s is configured using the gateway/cluster public IP (external interface), and the rule allows traffic across specific networks from both sides.
    We aren't connecting from one of these networks, we can't even access to them from our LAN.

    I've already tried to configure a new manual NAT (customer side), on a different public IP, but since they have a cluster I can't use the cluster object as destination.

  7. #7
    Join Date
    2007-06-04
    Posts
    3,267
    Rep Power
    16

    Default Re: Configure different public IP for Remote Access (S2S already present)

    Even easier then as the work is done at your end rather then the far end.

    1.) Configure the NAT ( define a node object with the Cluster IP and accept the warning message ) so that when connecting to the Cluster IP from your network then hidden behind a different IP.
    2.) User the crypt.def file to exclude traffic to the Cluster IP from being encrypted - sk25675

    That way your Gateway won't attempt to encrypt the traffic, and the Remote Access see's from an IP that not part of the Site to Site

  8. #8
    Join Date
    2015-05-26
    Posts
    34
    Rep Power
    0

    Default Re: Configure different public IP for Remote Access (S2S already present)

    Thank you, I'll give a try and I'll report the feedback.

  9. #9
    Join Date
    2015-05-26
    Posts
    34
    Rep Power
    0

    Default Re: Configure different public IP for Remote Access (S2S already present)

    Ok, I was trying but another problem came up...
    Our office gateway is configured with PPPoE, and we can go out with one single public IP only...
    So I can't hide my LAN behind a different IP, something must be done on customer side in order to use another public IP for the Remote Access community.

    How can I create, if possible, another dummy gateway to be used for Remote Access with a different IP?

    Basically I want to configure two different public IP for two different IPSec Communities

Similar Threads

  1. How to configure Remote Access VPN for particular AD Group
    By blason in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 1
    Last Post: 2015-08-06, 06:05
  2. Replies: 2
    Last Post: 2015-01-15, 07:17
  3. IPSec VPN Remote Access can't access internal network after connect
    By arykustirin in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2011-08-19, 18:17
  4. VPN-1 Edge in Remote Access Client Mode - No idea how to configure
    By jimbul in forum Check Point UTM-1 Edge Appliances
    Replies: 5
    Last Post: 2007-08-21, 12:27
  5. how to configure remote access only gateway at site with multiple gateways?
    By abadillo in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2006-03-07, 17:19

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •