- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-25-2008 11:48 AM - edited 03-11-2019 06:49 AM
Hello,
Hopefully, this is the right forum to post this message. If not, I apologize.
My setup:
InternalFW: PIX515e(v6.3)
VPN box: Connectra(Checkpoint)
VPN box to be managed by the SmartCenter server(Checkpoint)
I am trying to establish communication between the SmartCenter server (which is in DMZ1) and the Connectra Box(which is in DMZ2) thru the PIX firewall.
I NAT'd the connectra box DMZ2 IP to a DMZ1 IP where the Smartcenter resides. Then i implemented a DMZ1 ACL for the SmartCenter to access the Connectra over any port. I get hits on the access-list, but no connection.
SmartCenter DMZ1 IP:10.10.1.10/24
Connectra DMZ2 IP:10.10.2.11/24
static (dmz2,dmz1) 10.10.1.11 10.10.2.11 netmask 255.255.255.255 0 0
access-list acl_dmz1 permit tcp host 10.10.1.10 host 10.10.1.11
Just to see if i had set it up correctly, I configured the connectra and smartcenter on the same DMZ and it worked. I just can't get it to work thru the PIX.
Does anyone have a similiar setup and ran across the same issues?
Thank you,
-Lee
Solved! Go to Solution.
- Labels:
-
NGFW Firewalls
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-25-2008 01:40 PM
I have some experiences with Checkpoint so hopefully
I can provide you with some advices on this.
SIC= Secure Internal Communication. Basically you enter
the Activation key (one time password) on the Connectra
and when you create a Checkpoint connectra on the SmartDashboard,
you enter the same Activation key on that object.
What you're trying to do will NOT work with NAT because SIC does
NOT work with NAT, UNLESS you are doing this through a Checkpoint
Firewall.
If you run "fw monitor" on both the Connectra and the SmartCenter
Server, and use Ethereal to look at the output, you will clear
see that SIC uses Checkpoint Internal Certificate for Secure
Internal Communication. It will NOT work through NAT unless
you have a Checkpoint firewall in between the Connectra and
the SmartCenter.
Your workaround is NOT to NAT between the SmartCenter and
the Connectra.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-25-2008 12:02 PM
what kind of traffic are you passing between these boxes?
You have opened tcp.
Do you need to open udp 500,gre,udp 4500 too ( usually needed for ipsec vpn )
Also,add the inspection for ipsec-passthrough too.
policy-map global_policy
class inspection_default
inspect ipsec-passthrough
exit
exit
Do rate if helpful
Regards,
Sushil
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-25-2008 01:00 PM
Hi Sushil,
Thanks for your reply. I am passing TCP traffic over port 18191 between the two boxes.
VPN traffic does not play a role yet in this situation as I am simply just trying to have one box on a DMZ communicate to another box on another DMZ for management purposes only.
Here are my current rules on the PIX:(I also opened up UDP just incase)
SmartCenter DMZ1 IP:10.10.1.10/24
Connectra DMZ2 IP:10.10.2.11/24
static (dmz2,dmz1) 10.10.1.11 10.10.2.11 netmask 255.255.255.255 0 0
access-list acl_dmz1 permit tcp host 10.10.1.10 host 10.10.1.11
access-list acl_dmz1 permit udp host 10.10.1.10 host 10.10.1.11
Thanks,
-Lee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-25-2008 01:40 PM
I have some experiences with Checkpoint so hopefully
I can provide you with some advices on this.
SIC= Secure Internal Communication. Basically you enter
the Activation key (one time password) on the Connectra
and when you create a Checkpoint connectra on the SmartDashboard,
you enter the same Activation key on that object.
What you're trying to do will NOT work with NAT because SIC does
NOT work with NAT, UNLESS you are doing this through a Checkpoint
Firewall.
If you run "fw monitor" on both the Connectra and the SmartCenter
Server, and use Ethereal to look at the output, you will clear
see that SIC uses Checkpoint Internal Certificate for Secure
Internal Communication. It will NOT work through NAT unless
you have a Checkpoint firewall in between the Connectra and
the SmartCenter.
Your workaround is NOT to NAT between the SmartCenter and
the Connectra.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-25-2008 02:07 PM
Thanks David,
This sheds a lot of light now on our design.
Since I also could not get it to work thru a direct ACL(no NAT), I guess i have to either put the two boxes on the same segment or as you implied get e new firewall :-). I think this was a question more towards Checkpoint, but I appreciate the response.
Thanks,
- Lee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-25-2008 04:25 PM
Basically your design should include a VLAN
network design just for managing these
devices. There should be absolutely NO NAT
in this VLAN or Checkpoint SIC will complain.
Putting the SmartCenter and the Connectra on
the same network is a BAD idea.
Good luck to you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-26-2008 08:39 AM
Got it! Thanks again.
