?
Solved

Checkpoint R55 - Passing traffic via 2 external interfaces

Posted on 2006-07-15
19
Medium Priority
?
898 Views
Last Modified: 2013-11-16
Hello

I have 2 firewalls. PIX - Permiter  and Checkpoint - Internal FW
I am trying to update the PIX clock using NTP. The NTP device is located in the Checkpoint DMZ through interface 3
The PIX tries to go through the Checkpoint External interface (Int2) to get to the DMZ on int3 but it gets the error that it is dropped for going through 2 external interfaces.  The 2 interfaces are both configured as external with antispoofing.  

I am wondering what other actions I need to do to successfully pass traffic through the Checkpoint external interface through to the DMZ interface which is also classed as external?

Cheers
 
0
Comment
Question by:clarkeyi
16 Comments
 
LVL 10

Expert Comment

by:naveedb
ID: 17116560
You will need to open udp port 123 to allow incomming traffic on Checkpoint for your NTP device.

If the PIX has internet connectivity, you may use any public ntp server.
0
 

Author Comment

by:clarkeyi
ID: 17116840
Hello

NTP is open on the firewall. So this is OK.  
I have read on the web that if traffic cannot pass between 2 external interfaces then it may be a licensing issue.  Does this sound right?
0
 
LVL 5

Accepted Solution

by:
dbardbar earned 500 total points
ID: 17117243
True, traffic is not allowed between two EXTERNAL interfaces.
But, you don't have 2 external interfaces, do you?

The DMZ interface should not be defined as an external interface in the Anti-Spoofing definitions. It should be defined "Internal" in the AS definitions.

The way your are working now is not very secure. efectivly allowing someone to send spoofed packets from the DMZ, as if they are coming from some external internet IP.

0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 

Author Comment

by:clarkeyi
ID: 17118148
Thanks for the advice.  The consultant who set this up never defined why it was classed as External.
In the DMZ is where we terminate remote access (There is a VPN concentrator here)
Does this still mean I should amend the config of the interface as internal?. If so I will test that scenario

Cheers for the advice
0
 
LVL 5

Expert Comment

by:dbardbar
ID: 17118167
I would guess that your VPN con. is accepting encrypted traffic, and then sends it over with either it's own IP, or a range of predefined IPs.

If it is it's own IP, then you should definitly do what I suggested.
If it is a range of IPs, then if the range belongs to the subnet of the DMZ, there's shouldn't be a problem with what I suggested.

Otherwise, you'll need to make a slightly different configuration, to allow those IPs. It might be that this is indeed the case and that is the reason your consultant configured it this way - because it is simpler, and because it kind of works. But, that's not the proper way to config it.

Please send over more topology information if you need further assitance.
0
 

Author Comment

by:clarkeyi
ID: 17120306
No problem

The CP  Firewall config is definded as:
Internal
External (Leads to the PIX and out)
External (Leads to a DMZ)

The PIX has 3 DMZ's off it.  One of these include a VPN concentrator which has a switch between this and a RSA ACE server which is classed as the DMZ off the Checkpoint firewall.  
Once remote users are terminanted at the VPN, they authenticate their RSA token and get a defined DHCP address for access through the CP DMZ interface and onto the LAN

                                                  PIX
                                                                       VPN Concentrator
                                                                                 
                                                                              switch

                                                                         RSA ACE server


                                             Checkpoint

Hope this adds a bit more info

Cheers
0
 
LVL 5

Expert Comment

by:dbardbar
ID: 17120318
Sorry, but it is not completly clear to me what is the exact topology.

Could you perhaps draw a diagram? With IPs and subnets?
0
 

Author Comment

by:clarkeyi
ID: 17130067
Hello

Hope this may help now

Thanks

                                   PIX
            
            (172.28.5.2/29)      

                 ¦
                 ¦
                        DMZ3            (172.28.5.3/29)
            switch-------------------------------------VPN Concentrator
                 ¦
                     ¦                              ¦
                 ¦                              SWITCH
                 ¦                  DMZ4            ¦
                 ¦external
            (172.28.5.1/29)---------------RSA Server (172.24.5.7/25)
            CHECKPOINT       external            (NTP Server)
                 ¦
            LAN
0
 

Author Comment

by:clarkeyi
ID: 17130093
This one should be a bit clearer

                                     PIX
            
            (172.28.5.2/29)      

                 ¦
                 ¦
                                            DMZ3          (172.28.5.3/29)
            switch-------------------------------------           VPN Concentrator
                 ¦
                     ¦                              ¦
                 ¦                                 SWITCH
                 ¦                  DMZ4            ¦
                 ¦external
            (172.28.5.1/29)-------external--------             RSA Server (172.24.5.7/25)
            CHECKPOINT                                          (NTP Server)
                 ¦
            LAN
0
 
LVL 5

Expert Comment

by:dbardbar
ID: 17130128
Why is there a switch between the RSA server on 172.24.5.7/25 and the VPN on 172.28.5.3/29?
Are they talking to each other directly? That is, passing traffic between each other not passing the CP firewall?

Do you have Skype? If so, can you please contact me there, usernmae dbardbar? It will work a lot quicker.
0
 

Author Comment

by:clarkeyi
ID: 17130717
The VPN Conc. and the RSA do talk to each other for remote user access. Once authenticated on the RSA server users can then access the internal LAN.
No skype - this is just used for remote access
0
 

Author Comment

by:clarkeyi
ID: 17130722
Sorry, just read your skype comment!!
No sirry I do not have a skype account setup!
0
 
LVL 5

Expert Comment

by:dbardbar
ID: 17130733
Could you perhaps install it?
I am still not clear on a few things, and I feel it would be much quicker that way.
0
 

Author Comment

by:clarkeyi
ID: 17130784
Hello

I finish at 4 today, so I will install it this evening ready for tomorrow

Thanks for your help

Regards

Ian
0
 
LVL 5

Expert Comment

by:dbardbar
ID: 17130801
OK, great.
My timezone is GMT+3
0
 
LVL 4

Assisted Solution

by:imreble1
imreble1 earned 500 total points
ID: 17268620
Well dbardbar explain what was happening here Clark. Anti-spoofing you have multiple external interfaces. Two options that won't affect production traffic.

1.make the DMZ interface Internal
2.Turn anti-spoofing off

RDC
Fishnetsecurity.com
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month8 days, 15 hours left to enroll

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question