• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 906
  • Last Modified:

Checkpoint R55 - Passing traffic via 2 external interfaces

Hello

I have 2 firewalls. PIX - Permiter  and Checkpoint - Internal FW
I am trying to update the PIX clock using NTP. The NTP device is located in the Checkpoint DMZ through interface 3
The PIX tries to go through the Checkpoint External interface (Int2) to get to the DMZ on int3 but it gets the error that it is dropped for going through 2 external interfaces.  The 2 interfaces are both configured as external with antispoofing.  

I am wondering what other actions I need to do to successfully pass traffic through the Checkpoint external interface through to the DMZ interface which is also classed as external?

Cheers
 
0
clarkeyi
Asked:
clarkeyi
2 Solutions
 
naveedbCommented:
You will need to open udp port 123 to allow incomming traffic on Checkpoint for your NTP device.

If the PIX has internet connectivity, you may use any public ntp server.
0
 
clarkeyiAuthor Commented:
Hello

NTP is open on the firewall. So this is OK.  
I have read on the web that if traffic cannot pass between 2 external interfaces then it may be a licensing issue.  Does this sound right?
0
 
dbardbarCommented:
True, traffic is not allowed between two EXTERNAL interfaces.
But, you don't have 2 external interfaces, do you?

The DMZ interface should not be defined as an external interface in the Anti-Spoofing definitions. It should be defined "Internal" in the AS definitions.

The way your are working now is not very secure. efectivly allowing someone to send spoofed packets from the DMZ, as if they are coming from some external internet IP.

0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
clarkeyiAuthor Commented:
Thanks for the advice.  The consultant who set this up never defined why it was classed as External.
In the DMZ is where we terminate remote access (There is a VPN concentrator here)
Does this still mean I should amend the config of the interface as internal?. If so I will test that scenario

Cheers for the advice
0
 
dbardbarCommented:
I would guess that your VPN con. is accepting encrypted traffic, and then sends it over with either it's own IP, or a range of predefined IPs.

If it is it's own IP, then you should definitly do what I suggested.
If it is a range of IPs, then if the range belongs to the subnet of the DMZ, there's shouldn't be a problem with what I suggested.

Otherwise, you'll need to make a slightly different configuration, to allow those IPs. It might be that this is indeed the case and that is the reason your consultant configured it this way - because it is simpler, and because it kind of works. But, that's not the proper way to config it.

Please send over more topology information if you need further assitance.
0
 
clarkeyiAuthor Commented:
No problem

The CP  Firewall config is definded as:
Internal
External (Leads to the PIX and out)
External (Leads to a DMZ)

The PIX has 3 DMZ's off it.  One of these include a VPN concentrator which has a switch between this and a RSA ACE server which is classed as the DMZ off the Checkpoint firewall.  
Once remote users are terminanted at the VPN, they authenticate their RSA token and get a defined DHCP address for access through the CP DMZ interface and onto the LAN

                                                  PIX
                                                                       VPN Concentrator
                                                                                 
                                                                              switch

                                                                         RSA ACE server


                                             Checkpoint

Hope this adds a bit more info

Cheers
0
 
dbardbarCommented:
Sorry, but it is not completly clear to me what is the exact topology.

Could you perhaps draw a diagram? With IPs and subnets?
0
 
clarkeyiAuthor Commented:
Hello

Hope this may help now

Thanks

                                   PIX
            
            (172.28.5.2/29)      

                 ¦
                 ¦
                        DMZ3            (172.28.5.3/29)
            switch-------------------------------------VPN Concentrator
                 ¦
                     ¦                              ¦
                 ¦                              SWITCH
                 ¦                  DMZ4            ¦
                 ¦external
            (172.28.5.1/29)---------------RSA Server (172.24.5.7/25)
            CHECKPOINT       external            (NTP Server)
                 ¦
            LAN
0
 
clarkeyiAuthor Commented:
This one should be a bit clearer

                                     PIX
            
            (172.28.5.2/29)      

                 ¦
                 ¦
                                            DMZ3          (172.28.5.3/29)
            switch-------------------------------------           VPN Concentrator
                 ¦
                     ¦                              ¦
                 ¦                                 SWITCH
                 ¦                  DMZ4            ¦
                 ¦external
            (172.28.5.1/29)-------external--------             RSA Server (172.24.5.7/25)
            CHECKPOINT                                          (NTP Server)
                 ¦
            LAN
0
 
dbardbarCommented:
Why is there a switch between the RSA server on 172.24.5.7/25 and the VPN on 172.28.5.3/29?
Are they talking to each other directly? That is, passing traffic between each other not passing the CP firewall?

Do you have Skype? If so, can you please contact me there, usernmae dbardbar? It will work a lot quicker.
0
 
clarkeyiAuthor Commented:
The VPN Conc. and the RSA do talk to each other for remote user access. Once authenticated on the RSA server users can then access the internal LAN.
No skype - this is just used for remote access
0
 
clarkeyiAuthor Commented:
Sorry, just read your skype comment!!
No sirry I do not have a skype account setup!
0
 
dbardbarCommented:
Could you perhaps install it?
I am still not clear on a few things, and I feel it would be much quicker that way.
0
 
clarkeyiAuthor Commented:
Hello

I finish at 4 today, so I will install it this evening ready for tomorrow

Thanks for your help

Regards

Ian
0
 
dbardbarCommented:
OK, great.
My timezone is GMT+3
0
 
imreble1Commented:
Well dbardbar explain what was happening here Clark. Anti-spoofing you have multiple external interfaces. Two options that won't affect production traffic.

1.make the DMZ interface Internal
2.Turn anti-spoofing off

RDC
Fishnetsecurity.com
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now