Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1593
Views
4
Helpful
6
Replies

Establishing SIC communication thru PIX firewall?

Go to solution
lalcantara
Level 1
Level 1

‎09-25-2008 11:48 AM - edited ‎03-11-2019 06:49 AM

Hello,

Hopefully, this is the right forum to post this message. If not, I apologize.

My setup:

InternalFW: PIX515e(v6.3)

VPN box: Connectra(Checkpoint)

VPN box to be managed by the SmartCenter server(Checkpoint)

I am trying to establish communication between the SmartCenter server (which is in DMZ1) and the Connectra Box(which is in DMZ2) thru the PIX firewall.

I NAT'd the connectra box DMZ2 IP to a DMZ1 IP where the Smartcenter resides. Then i implemented a DMZ1 ACL for the SmartCenter to access the Connectra over any port. I get hits on the access-list, but no connection.

SmartCenter DMZ1 IP:10.10.1.10/24

Connectra DMZ2 IP:10.10.2.11/24

static (dmz2,dmz1) 10.10.1.11 10.10.2.11 netmask 255.255.255.255 0 0

access-list acl_dmz1 permit tcp host 10.10.1.10 host 10.10.1.11

Just to see if i had set it up correctly, I configured the connectra and smartcenter on the same DMZ and it worked. I just can't get it to work thru the PIX.

Does anyone have a similiar setup and ran across the same issues?

Thank you,

-Lee

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cisco24x7
Level 6
Level 6
In response to lalcantara

‎09-25-2008 01:40 PM

I have some experiences with Checkpoint so hopefully

I can provide you with some advices on this.

SIC= Secure Internal Communication. Basically you enter

the Activation key (one time password) on the Connectra

and when you create a Checkpoint connectra on the SmartDashboard,

you enter the same Activation key on that object.

What you're trying to do will NOT work with NAT because SIC does

NOT work with NAT, UNLESS you are doing this through a Checkpoint

Firewall.

If you run "fw monitor" on both the Connectra and the SmartCenter

Server, and use Ethereal to look at the output, you will clear

see that SIC uses Checkpoint Internal Certificate for Secure

Internal Communication. It will NOT work through NAT unless

you have a Checkpoint firewall in between the Connectra and

the SmartCenter.

Your workaround is NOT to NAT between the SmartCenter and

the Connectra.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
suschoud
Cisco Employee
Cisco Employee

‎09-25-2008 12:02 PM

what kind of traffic are you passing between these boxes?

You have opened tcp.

Do you need to open udp 500,gre,udp 4500 too ( usually needed for ipsec vpn )

Also,add the inspection for ipsec-passthrough too.

policy-map global_policy

class inspection_default

inspect ipsec-passthrough

exit

exit

Do rate if helpful

Regards,

Sushil

0 Helpful

Go to solution
lalcantara
Level 1
Level 1
In response to suschoud

‎09-25-2008 01:00 PM

Hi Sushil,

Thanks for your reply. I am passing TCP traffic over port 18191 between the two boxes.

VPN traffic does not play a role yet in this situation as I am simply just trying to have one box on a DMZ communicate to another box on another DMZ for management purposes only.

Here are my current rules on the PIX:(I also opened up UDP just incase)

SmartCenter DMZ1 IP:10.10.1.10/24

Connectra DMZ2 IP:10.10.2.11/24

static (dmz2,dmz1) 10.10.1.11 10.10.2.11 netmask 255.255.255.255 0 0

access-list acl_dmz1 permit tcp host 10.10.1.10 host 10.10.1.11

access-list acl_dmz1 permit udp host 10.10.1.10 host 10.10.1.11

Thanks,

-Lee

0 Helpful

Go to solution
cisco24x7
Level 6
Level 6
In response to lalcantara

‎09-25-2008 01:40 PM

I have some experiences with Checkpoint so hopefully

I can provide you with some advices on this.

SIC= Secure Internal Communication. Basically you enter

the Activation key (one time password) on the Connectra

and when you create a Checkpoint connectra on the SmartDashboard,

you enter the same Activation key on that object.

What you're trying to do will NOT work with NAT because SIC does

NOT work with NAT, UNLESS you are doing this through a Checkpoint

Firewall.

If you run "fw monitor" on both the Connectra and the SmartCenter

Server, and use Ethereal to look at the output, you will clear

see that SIC uses Checkpoint Internal Certificate for Secure

Internal Communication. It will NOT work through NAT unless

you have a Checkpoint firewall in between the Connectra and

the SmartCenter.

Your workaround is NOT to NAT between the SmartCenter and

the Connectra.

0 Helpful

Go to solution
lalcantara
Level 1
Level 1
In response to cisco24x7

‎09-25-2008 02:07 PM

Thanks David,

This sheds a lot of light now on our design.

Since I also could not get it to work thru a direct ACL(no NAT), I guess i have to either put the two boxes on the same segment or as you implied get e new firewall :-). I think this was a question more towards Checkpoint, but I appreciate the response.

Thanks,

- Lee

0 Helpful

Go to solution
cisco24x7
Level 6
Level 6
In response to lalcantara

‎09-25-2008 04:25 PM

Basically your design should include a VLAN

network design just for managing these

devices. There should be absolutely NO NAT

in this VLAN or Checkpoint SIC will complain.

Putting the SmartCenter and the Connectra on

the same network is a BAD idea.

Good luck to you.

Go to solution
lalcantara
Level 1
Level 1
In response to cisco24x7

‎09-26-2008 08:39 AM

Got it! Thanks again.

0 Helpful
Review Cisco Networking for a $25 gift card
Top