clarkeyi
asked on
Checkpoint R55 - Passing traffic via 2 external interfaces
Hello
I have 2 firewalls. PIX - Permiter and Checkpoint - Internal FW
I am trying to update the PIX clock using NTP. The NTP device is located in the Checkpoint DMZ through interface 3
The PIX tries to go through the Checkpoint External interface (Int2) to get to the DMZ on int3 but it gets the error that it is dropped for going through 2 external interfaces. The 2 interfaces are both configured as external with antispoofing.
I am wondering what other actions I need to do to successfully pass traffic through the Checkpoint external interface through to the DMZ interface which is also classed as external?
Cheers
I have 2 firewalls. PIX - Permiter and Checkpoint - Internal FW
I am trying to update the PIX clock using NTP. The NTP device is located in the Checkpoint DMZ through interface 3
The PIX tries to go through the Checkpoint External interface (Int2) to get to the DMZ on int3 but it gets the error that it is dropped for going through 2 external interfaces. The 2 interfaces are both configured as external with antispoofing.
I am wondering what other actions I need to do to successfully pass traffic through the Checkpoint external interface through to the DMZ interface which is also classed as external?
Cheers
ASKER
Hello
NTP is open on the firewall. So this is OK.
I have read on the web that if traffic cannot pass between 2 external interfaces then it may be a licensing issue. Does this sound right?
NTP is open on the firewall. So this is OK.
I have read on the web that if traffic cannot pass between 2 external interfaces then it may be a licensing issue. Does this sound right?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the advice. The consultant who set this up never defined why it was classed as External.
In the DMZ is where we terminate remote access (There is a VPN concentrator here)
Does this still mean I should amend the config of the interface as internal?. If so I will test that scenario
Cheers for the advice
In the DMZ is where we terminate remote access (There is a VPN concentrator here)
Does this still mean I should amend the config of the interface as internal?. If so I will test that scenario
Cheers for the advice
I would guess that your VPN con. is accepting encrypted traffic, and then sends it over with either it's own IP, or a range of predefined IPs.
If it is it's own IP, then you should definitly do what I suggested.
If it is a range of IPs, then if the range belongs to the subnet of the DMZ, there's shouldn't be a problem with what I suggested.
Otherwise, you'll need to make a slightly different configuration, to allow those IPs. It might be that this is indeed the case and that is the reason your consultant configured it this way - because it is simpler, and because it kind of works. But, that's not the proper way to config it.
Please send over more topology information if you need further assitance.
If it is it's own IP, then you should definitly do what I suggested.
If it is a range of IPs, then if the range belongs to the subnet of the DMZ, there's shouldn't be a problem with what I suggested.
Otherwise, you'll need to make a slightly different configuration, to allow those IPs. It might be that this is indeed the case and that is the reason your consultant configured it this way - because it is simpler, and because it kind of works. But, that's not the proper way to config it.
Please send over more topology information if you need further assitance.
ASKER
No problem
The CP Firewall config is definded as:
Internal
External (Leads to the PIX and out)
External (Leads to a DMZ)
The PIX has 3 DMZ's off it. One of these include a VPN concentrator which has a switch between this and a RSA ACE server which is classed as the DMZ off the Checkpoint firewall.
Once remote users are terminanted at the VPN, they authenticate their RSA token and get a defined DHCP address for access through the CP DMZ interface and onto the LAN
PIX
VPN Concentrator
switch
RSA ACE server
Checkpoint
Hope this adds a bit more info
Cheers
The CP Firewall config is definded as:
Internal
External (Leads to the PIX and out)
External (Leads to a DMZ)
The PIX has 3 DMZ's off it. One of these include a VPN concentrator which has a switch between this and a RSA ACE server which is classed as the DMZ off the Checkpoint firewall.
Once remote users are terminanted at the VPN, they authenticate their RSA token and get a defined DHCP address for access through the CP DMZ interface and onto the LAN
PIX
VPN Concentrator
switch
RSA ACE server
Checkpoint
Hope this adds a bit more info
Cheers
Sorry, but it is not completly clear to me what is the exact topology.
Could you perhaps draw a diagram? With IPs and subnets?
Could you perhaps draw a diagram? With IPs and subnets?
ASKER
Hello
Hope this may help now
Thanks
PIX
(172.28.5.2/29)
¦
¦
DMZ3 (172.28.5.3/29)
switch-------------------- ---------- -------VPN Concentrator
¦
¦ ¦
¦ SWITCH
¦ DMZ4 ¦
¦external
(172.28.5.1/29)----------- ----RSA Server (172.24.5.7/25)
CHECKPOINT external (NTP Server)
¦
LAN
Hope this may help now
Thanks
PIX
(172.28.5.2/29)
¦
¦
DMZ3 (172.28.5.3/29)
switch--------------------
¦
¦ ¦
¦ SWITCH
¦ DMZ4 ¦
¦external
(172.28.5.1/29)-----------
CHECKPOINT external (NTP Server)
¦
LAN
ASKER
This one should be a bit clearer
PIX
(172.28.5.2/29)
¦
¦
DMZ3 (172.28.5.3/29)
switch-------------------- ---------- ------- VPN Concentrator
¦
¦ ¦
¦ SWITCH
¦ DMZ4 ¦
¦external
(172.28.5.1/29)-------exte rnal------ -- RSA Server (172.24.5.7/25)
CHECKPOINT (NTP Server)
¦
LAN
PIX
(172.28.5.2/29)
¦
¦
DMZ3 (172.28.5.3/29)
switch--------------------
¦
¦ ¦
¦ SWITCH
¦ DMZ4 ¦
¦external
(172.28.5.1/29)-------exte
CHECKPOINT (NTP Server)
¦
LAN
Why is there a switch between the RSA server on 172.24.5.7/25 and the VPN on 172.28.5.3/29?
Are they talking to each other directly? That is, passing traffic between each other not passing the CP firewall?
Do you have Skype? If so, can you please contact me there, usernmae dbardbar? It will work a lot quicker.
Are they talking to each other directly? That is, passing traffic between each other not passing the CP firewall?
Do you have Skype? If so, can you please contact me there, usernmae dbardbar? It will work a lot quicker.
ASKER
The VPN Conc. and the RSA do talk to each other for remote user access. Once authenticated on the RSA server users can then access the internal LAN.
No skype - this is just used for remote access
No skype - this is just used for remote access
ASKER
Sorry, just read your skype comment!!
No sirry I do not have a skype account setup!
No sirry I do not have a skype account setup!
Could you perhaps install it?
I am still not clear on a few things, and I feel it would be much quicker that way.
I am still not clear on a few things, and I feel it would be much quicker that way.
ASKER
Hello
I finish at 4 today, so I will install it this evening ready for tomorrow
Thanks for your help
Regards
Ian
I finish at 4 today, so I will install it this evening ready for tomorrow
Thanks for your help
Regards
Ian
OK, great.
My timezone is GMT+3
My timezone is GMT+3
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If the PIX has internet connectivity, you may use any public ntp server.