Solved

Setup VPN with Checkpoint Firewall

Posted on 2009-05-07
3
875 Views
Last Modified: 2013-11-16
I need to setup a VPN connection in a checkpoint firewall.  
The VPN will allow RDP (TCP 3389) to a list of servers.

I created the "community"
set rule for IPSEC traffic to accept to and from the firewall to the firewall there
set the rule in the rule base to allow RDP from their network to the listed IP's of the servers.

Do i need to create a rule that allows RDP traffic from the servers to the site?

Any input is welcome, thanks.
0
Comment
Question by:younginbusiness
3 Comments
 
LVL 14

Expert Comment

by:grimkin
ID: 24326833
Hi,

No, the traffic is allowed back as there will be a matching entry in the connections table. Give it a whirl and let us know if you need any more help,

Cheers
G
0
 
LVL 1

Accepted Solution

by:
johnpaulantony earned 500 total points
ID: 24339706
Hi,
Assuming that you have created below.

1) Created a Star community under VPN section.
2) Added your own FW as a Central Gateway.
3) Added the remote  FW object as  a Satellite Gateway.
4) Worked with the remote vendor to configure the Phase1 & Phase2 configurations.
5) Obtained a shared secret and configured them in your FW.
6) Discussed the encryption domain with your remote FW admin and configured them in your rules. This is the important piece since encryption domain will help the FW what are the IPs to be encrypted or what should not.
Ex: If your source IP is 10.10.10.x and the destination (Terminal servers) IP ranges are 20.20.20.x
a) Define 20.20.20.x under Interoperable Devices-"RemoteFW Object"-Topology then select "Manually defined".
b) Goto your FW object and select edit-Topology-Manually defined-then select 10.10.10.x
This will provide you the encrption domain consists of 10.10.10.x and 20.20.20.x and both FWs are ready to encrypt/decrypt traffic.
7) Now configure the VPN rules in your "Security" tab. Ex: Source=10.10.10.1 destination=20.20.20.1 VPN (newly created STAR community)service TCP-3389.

Unlike traditional devices, Checkpoint will always maintain session table. It will automatically allow the return traffic. So, you dont need to worry about the reverse route. As long as you configure one way, the return traffic will be allowed automatically (assuming that you have proper reverse routes for 20.20.20.x on your FW and reverse routes for 10.10.10.x on the remote FW).

Note:
If you are intend to use multiple VPN tunnels, it is better to create a group(ex: MY-VPN-Tunnel-Source-Group) and add all your VPN sources inside that. This will help you to dynamically manage your encryption domain.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Firewall -- detecting ex-owner activity ? 1 42
Mac OS 10.12 + VPN 17 516
Sudden loss of remote desktop connectivity via VPN 11 59
SBS 2008 cannot logon remotely 7 46
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now