Solved

Checkpoint R55 - Passing traffic via 2 external interfaces

Posted on 2006-07-15
19
826 Views
Last Modified: 2013-11-16
Hello

I have 2 firewalls. PIX - Permiter  and Checkpoint - Internal FW
I am trying to update the PIX clock using NTP. The NTP device is located in the Checkpoint DMZ through interface 3
The PIX tries to go through the Checkpoint External interface (Int2) to get to the DMZ on int3 but it gets the error that it is dropped for going through 2 external interfaces.  The 2 interfaces are both configured as external with antispoofing.  

I am wondering what other actions I need to do to successfully pass traffic through the Checkpoint external interface through to the DMZ interface which is also classed as external?

Cheers
 
0
Comment
Question by:clarkeyi
19 Comments
 
LVL 10

Expert Comment

by:naveedb
Comment Utility
You will need to open udp port 123 to allow incomming traffic on Checkpoint for your NTP device.

If the PIX has internet connectivity, you may use any public ntp server.
0
 

Author Comment

by:clarkeyi
Comment Utility
Hello

NTP is open on the firewall. So this is OK.  
I have read on the web that if traffic cannot pass between 2 external interfaces then it may be a licensing issue.  Does this sound right?
0
 
LVL 5

Accepted Solution

by:
dbardbar earned 125 total points
Comment Utility
True, traffic is not allowed between two EXTERNAL interfaces.
But, you don't have 2 external interfaces, do you?

The DMZ interface should not be defined as an external interface in the Anti-Spoofing definitions. It should be defined "Internal" in the AS definitions.

The way your are working now is not very secure. efectivly allowing someone to send spoofed packets from the DMZ, as if they are coming from some external internet IP.

0
 

Author Comment

by:clarkeyi
Comment Utility
Thanks for the advice.  The consultant who set this up never defined why it was classed as External.
In the DMZ is where we terminate remote access (There is a VPN concentrator here)
Does this still mean I should amend the config of the interface as internal?. If so I will test that scenario

Cheers for the advice
0
 
LVL 5

Expert Comment

by:dbardbar
Comment Utility
I would guess that your VPN con. is accepting encrypted traffic, and then sends it over with either it's own IP, or a range of predefined IPs.

If it is it's own IP, then you should definitly do what I suggested.
If it is a range of IPs, then if the range belongs to the subnet of the DMZ, there's shouldn't be a problem with what I suggested.

Otherwise, you'll need to make a slightly different configuration, to allow those IPs. It might be that this is indeed the case and that is the reason your consultant configured it this way - because it is simpler, and because it kind of works. But, that's not the proper way to config it.

Please send over more topology information if you need further assitance.
0
 

Author Comment

by:clarkeyi
Comment Utility
No problem

The CP  Firewall config is definded as:
Internal
External (Leads to the PIX and out)
External (Leads to a DMZ)

The PIX has 3 DMZ's off it.  One of these include a VPN concentrator which has a switch between this and a RSA ACE server which is classed as the DMZ off the Checkpoint firewall.  
Once remote users are terminanted at the VPN, they authenticate their RSA token and get a defined DHCP address for access through the CP DMZ interface and onto the LAN

                                                  PIX
                                                                       VPN Concentrator
                                                                                 
                                                                              switch

                                                                         RSA ACE server


                                             Checkpoint

Hope this adds a bit more info

Cheers
0
 
LVL 5

Expert Comment

by:dbardbar
Comment Utility
Sorry, but it is not completly clear to me what is the exact topology.

Could you perhaps draw a diagram? With IPs and subnets?
0
 

Author Comment

by:clarkeyi
Comment Utility
Hello

Hope this may help now

Thanks

                                   PIX
            
            (172.28.5.2/29)      

                 ¦
                 ¦
                        DMZ3            (172.28.5.3/29)
            switch-------------------------------------VPN Concentrator
                 ¦
                     ¦                              ¦
                 ¦                              SWITCH
                 ¦                  DMZ4            ¦
                 ¦external
            (172.28.5.1/29)---------------RSA Server (172.24.5.7/25)
            CHECKPOINT       external            (NTP Server)
                 ¦
            LAN
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:clarkeyi
Comment Utility
This one should be a bit clearer

                                     PIX
            
            (172.28.5.2/29)      

                 ¦
                 ¦
                                            DMZ3          (172.28.5.3/29)
            switch-------------------------------------           VPN Concentrator
                 ¦
                     ¦                              ¦
                 ¦                                 SWITCH
                 ¦                  DMZ4            ¦
                 ¦external
            (172.28.5.1/29)-------external--------             RSA Server (172.24.5.7/25)
            CHECKPOINT                                          (NTP Server)
                 ¦
            LAN
0
 
LVL 5

Expert Comment

by:dbardbar
Comment Utility
Why is there a switch between the RSA server on 172.24.5.7/25 and the VPN on 172.28.5.3/29?
Are they talking to each other directly? That is, passing traffic between each other not passing the CP firewall?

Do you have Skype? If so, can you please contact me there, usernmae dbardbar? It will work a lot quicker.
0
 

Author Comment

by:clarkeyi
Comment Utility
The VPN Conc. and the RSA do talk to each other for remote user access. Once authenticated on the RSA server users can then access the internal LAN.
No skype - this is just used for remote access
0
 

Author Comment

by:clarkeyi
Comment Utility
Sorry, just read your skype comment!!
No sirry I do not have a skype account setup!
0
 
LVL 5

Expert Comment

by:dbardbar
Comment Utility
Could you perhaps install it?
I am still not clear on a few things, and I feel it would be much quicker that way.
0
 

Author Comment

by:clarkeyi
Comment Utility
Hello

I finish at 4 today, so I will install it this evening ready for tomorrow

Thanks for your help

Regards

Ian
0
 
LVL 5

Expert Comment

by:dbardbar
Comment Utility
OK, great.
My timezone is GMT+3
0
 
LVL 4

Assisted Solution

by:imreble1
imreble1 earned 125 total points
Comment Utility
Well dbardbar explain what was happening here Clark. Anti-spoofing you have multiple external interfaces. Two options that won't affect production traffic.

1.make the DMZ interface Internal
2.Turn anti-spoofing off

RDC
Fishnetsecurity.com
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
firewall management operations 1 87
assessing firewall rules 3 72
VPN client software 7 41
Open BDS Pf 3 44
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now