The remote VPN user source address does not show in the checkpoint firewall, instead it shows the fortigate of the device LAN interface address.


Solution applied

FortiGate 2000E Firmware version : v6.0.2 build0163 (GA)

Forti Client Version                                       : 6.0.4

Check Point  5000 Appliance                    : R80.10

Problem:

VPN user (10.50.50.1) have access of server (10.10.10.55) RDP service. For that IPsec VPN tunnel and access, policy created on Fortigate Firewall and applied IPsec tunnel on fortigate policy. User can connect VPN tunnel successfully but user cannot access the RDP service because Check Point firewall getting NAT IP of Fortigate Interface IP (192.168.20.40) instead of VPN user client source IP (10.50.50.1).

Cause:

Check Point firewall getting NAT IP of Fortigate interface because of NAT translation issue in fortigate IPsec tunnel.

Solution:

Required Following logs which mentioned below

Request you are to please run the following debug commands through cli and check the output.

Putty>>1
#get router info routing-table all
#get router info routing-table database
#get router info kernel
#diag firewall proute list

putty>>2
# diag debug reset
# diag debug flow filter addr x.x.x.x (x.x.x.x is the ip address of the destination that you are trying to take RDP)
# diag debug flow filter port 3389
# diag debug flow show console enable
# diag debug console time en
# diag debug flow trace start 9999
# diag debug enable

putty>>3
#diag sniff packet any “host x.x.x.x and 3389” 6 0 a (x.x.x.x is the ip address of the destination that you are trying to take RDP)

Now please connect to VPN and please try to take RDP and once you get the error

Please disable the command using #diag deb dis

-You are using policy based VPN
-The connection was initiated from 10.50.50.1 to 10.10.10.55 server
-The server 10.10.10.55 is located behind fortigate and reachable via Fortigate LAN interface.
-Fortigate is doing a SNAT of changing the source 10.50.50.1 to 192.168.20.40 which is the interface IP address of Fortigate LAN interface, But on the policy Source NAT was not enabled
-Disabled the SNAT in the phase2 configuration using the following commands

config vpn ipsec phase2
edit <name of the tunnel>
set use-natip disable
end


– After disabling it we tested and we could see that now fortigate is not changing the source
– But from the captures we can see that fortigate is forwarding the packets via LAN interface but we are not getting any response.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.

Up ↑

%d bloggers like this: