CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 6 of 6

Thread: Original IP address does not come through in a VPN tunnel

  1. #1
    Join Date
    2017-02-06
    Posts
    7
    Rep Power
    0

    Default Original IP address does not come through in a VPN tunnel

    We have Version 80.10 with all patches. We have ~100 small devices in remote locations, a blend of utm-1, cp1100, and 1430 devices. I just found that when a user at a remote location goes to something else on our network, I am getting the ip address of our primary firewall instead of the employees ip address. Is this normal? It is interfering with the way our proxy server works. It has been occurring for some time now, and getting progressively worse, most likely because I do not think the old devices are having the issue and as we replace them the newer devices do and are making the situation worsen. So our set up would be...

    employee >> CP1100 >> tunnel >> primary gateway >> something on our network
    1.1.2.5 1.1.2.1 172.1.1.2 172.1.1.2

    A debug shows the right address coming back to the gateway. Is this normal? I am trying to figure out how I could follow the traffic is an employee became disgruntled and did something to a site.... all I would know is they are from one of 100 remote locations if I can't get their original IP.

    The something on our network I am looking at right now is our proxy server which shows multiple users with the gateway address, and IIS logs with c-ip and x-forwarded-for on, with the primary gateway coming through as c-ip and nothing as x-forward-for.

    Any thoughts are appreciated.

    terri

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,206
    Rep Power
    13

    Default Re: Original IP address does not come through in a VPN tunnel

    Quote Originally Posted by terri8369 View Post
    We have Version 80.10 with all patches. We have ~100 small devices in remote locations, a blend of utm-1, cp1100, and 1430 devices. I just found that when a user at a remote location goes to something else on our network, I am getting the ip address of our primary firewall instead of the employees ip address. Is this normal? It is interfering with the way our proxy server works. It has been occurring for some time now, and getting progressively worse, most likely because I do not think the old devices are having the issue and as we replace them the newer devices do and are making the situation worsen. So our set up would be...

    employee >> CP1100 >> tunnel >> primary gateway >> something on our network
    1.1.2.5 1.1.2.1 172.1.1.2 172.1.1.2

    A debug shows the right address coming back to the gateway. Is this normal? I am trying to figure out how I could follow the traffic is an employee became disgruntled and did something to a site.... all I would know is they are from one of 100 remote locations if I can't get their original IP.

    The something on our network I am looking at right now is our proxy server which shows multiple users with the gateway address, and IIS logs with c-ip and x-forwarded-for on, with the primary gateway coming through as c-ip and nothing as x-forward-for.

    Any thoughts are appreciated.

    terri
    Did you check the "Disable NAT in VPN Community" checkbox on the VPN Community properties?
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  3. #3
    Join Date
    2017-02-06
    Posts
    7
    Rep Power
    0

    Default Re: Original IP address does not come through in a VPN tunnel

    Quote Originally Posted by ShadowPeak.com View Post
    Did you check the "Disable NAT in VPN Community" checkbox on the VPN Community properties?
    Thank you for responding, yes, we have that checked for both center and satellite gateways.

  4. #4
    Join Date
    2006-07-28
    Location
    San Francisco, USA
    Posts
    2,484
    Rep Power
    15

    Default Re: Original IP address does not come through in a VPN tunnel

    Sounds like the NAT is happening on the primary gateway, *after* the packet has come out of the VPN tunnel from the remote site?

    So might be worth going through all your NAT rules the primary gateway, and check for things like auto-hide NAT config for all internal networks.

  5. #5
    Join Date
    2017-02-06
    Posts
    7
    Rep Power
    0

    Default Re: Original IP address does not come through in a VPN tunnel

    Quote Originally Posted by northlandboy View Post
    Sounds like the NAT is happening on the primary gateway, *after* the packet has come out of the VPN tunnel from the remote site?

    So might be worth going through all your NAT rules the primary gateway, and check for things like auto-hide NAT config for all internal networks.
    THANK YOU SO MUCH!!! That was it, I reviewed all the NAT rules and there was one in there with all the vlans in it with an obscure kind of name that was making sure they kept their original IP. I cannot thank you enough, you are wonderful. Have a great weekend!

  6. #6
    Join Date
    2006-07-28
    Location
    San Francisco, USA
    Posts
    2,484
    Rep Power
    15

    Default Re: Original IP address does not come through in a VPN tunnel

    Great to hear that you found it.

    I've had similar experiences in the past, especially with deeply nested groups that someone slips an overly large subnet into...takes a little while to figure out what's going on

Similar Threads

  1. IPSEC tunnel to a gateway with dynamic ip address
    By bhavinjbhatt in forum R77.20
    Replies: 3
    Last Post: 2015-09-24, 08:35
  2. Support company wants to use tunnel to external address?
    By hammop1 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2007-05-08, 11:18
  3. NAT Addressing and Original
    By 1q2w3e in forum NAT (Network Address Translation)
    Replies: 1
    Last Post: 2007-04-18, 08:03
  4. NAT with <ANY> in Source Original Packet...
    By kraemer in forum NAT (Network Address Translation)
    Replies: 1
    Last Post: 2006-07-04, 17:01
  5. how do I reset back to original?
    By clearwaterms in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 3
    Last Post: 2006-06-02, 10:17

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •