Improve company productivity with a Business Account.Sign Up

x
?
Solved

Checkpoint R55 - Passing traffic via 2 external interfaces

Posted on 2006-07-15
19
Medium Priority
?
901 Views
Last Modified: 2013-11-16
Hello

I have 2 firewalls. PIX - Permiter  and Checkpoint - Internal FW
I am trying to update the PIX clock using NTP. The NTP device is located in the Checkpoint DMZ through interface 3
The PIX tries to go through the Checkpoint External interface (Int2) to get to the DMZ on int3 but it gets the error that it is dropped for going through 2 external interfaces.  The 2 interfaces are both configured as external with antispoofing.  

I am wondering what other actions I need to do to successfully pass traffic through the Checkpoint external interface through to the DMZ interface which is also classed as external?

Cheers
 
0
Comment
Question by:clarkeyi
16 Comments
 
LVL 10

Expert Comment

by:naveedb
ID: 17116560
You will need to open udp port 123 to allow incomming traffic on Checkpoint for your NTP device.

If the PIX has internet connectivity, you may use any public ntp server.
0
 

Author Comment

by:clarkeyi
ID: 17116840
Hello

NTP is open on the firewall. So this is OK.  
I have read on the web that if traffic cannot pass between 2 external interfaces then it may be a licensing issue.  Does this sound right?
0
 
LVL 5

Accepted Solution

by:
dbardbar earned 500 total points
ID: 17117243
True, traffic is not allowed between two EXTERNAL interfaces.
But, you don't have 2 external interfaces, do you?

The DMZ interface should not be defined as an external interface in the Anti-Spoofing definitions. It should be defined "Internal" in the AS definitions.

The way your are working now is not very secure. efectivly allowing someone to send spoofed packets from the DMZ, as if they are coming from some external internet IP.

0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

 

Author Comment

by:clarkeyi
ID: 17118148
Thanks for the advice.  The consultant who set this up never defined why it was classed as External.
In the DMZ is where we terminate remote access (There is a VPN concentrator here)
Does this still mean I should amend the config of the interface as internal?. If so I will test that scenario

Cheers for the advice
0
 
LVL 5

Expert Comment

by:dbardbar
ID: 17118167
I would guess that your VPN con. is accepting encrypted traffic, and then sends it over with either it's own IP, or a range of predefined IPs.

If it is it's own IP, then you should definitly do what I suggested.
If it is a range of IPs, then if the range belongs to the subnet of the DMZ, there's shouldn't be a problem with what I suggested.

Otherwise, you'll need to make a slightly different configuration, to allow those IPs. It might be that this is indeed the case and that is the reason your consultant configured it this way - because it is simpler, and because it kind of works. But, that's not the proper way to config it.

Please send over more topology information if you need further assitance.
0
 

Author Comment

by:clarkeyi
ID: 17120306
No problem

The CP  Firewall config is definded as:
Internal
External (Leads to the PIX and out)
External (Leads to a DMZ)

The PIX has 3 DMZ's off it.  One of these include a VPN concentrator which has a switch between this and a RSA ACE server which is classed as the DMZ off the Checkpoint firewall.  
Once remote users are terminanted at the VPN, they authenticate their RSA token and get a defined DHCP address for access through the CP DMZ interface and onto the LAN

                                                  PIX
                                                                       VPN Concentrator
                                                                                 
                                                                              switch

                                                                         RSA ACE server


                                             Checkpoint

Hope this adds a bit more info

Cheers
0
 
LVL 5

Expert Comment

by:dbardbar
ID: 17120318
Sorry, but it is not completly clear to me what is the exact topology.

Could you perhaps draw a diagram? With IPs and subnets?
0
 

Author Comment

by:clarkeyi
ID: 17130067
Hello

Hope this may help now

Thanks

                                   PIX
            
            (172.28.5.2/29)      

                 ¦
                 ¦
                        DMZ3            (172.28.5.3/29)
            switch-------------------------------------VPN Concentrator
                 ¦
                     ¦                              ¦
                 ¦                              SWITCH
                 ¦                  DMZ4            ¦
                 ¦external
            (172.28.5.1/29)---------------RSA Server (172.24.5.7/25)
            CHECKPOINT       external            (NTP Server)
                 ¦
            LAN
0
 

Author Comment

by:clarkeyi
ID: 17130093
This one should be a bit clearer

                                     PIX
            
            (172.28.5.2/29)      

                 ¦
                 ¦
                                            DMZ3          (172.28.5.3/29)
            switch-------------------------------------           VPN Concentrator
                 ¦
                     ¦                              ¦
                 ¦                                 SWITCH
                 ¦                  DMZ4            ¦
                 ¦external
            (172.28.5.1/29)-------external--------             RSA Server (172.24.5.7/25)
            CHECKPOINT                                          (NTP Server)
                 ¦
            LAN
0
 
LVL 5

Expert Comment

by:dbardbar
ID: 17130128
Why is there a switch between the RSA server on 172.24.5.7/25 and the VPN on 172.28.5.3/29?
Are they talking to each other directly? That is, passing traffic between each other not passing the CP firewall?

Do you have Skype? If so, can you please contact me there, usernmae dbardbar? It will work a lot quicker.
0
 

Author Comment

by:clarkeyi
ID: 17130717
The VPN Conc. and the RSA do talk to each other for remote user access. Once authenticated on the RSA server users can then access the internal LAN.
No skype - this is just used for remote access
0
 

Author Comment

by:clarkeyi
ID: 17130722
Sorry, just read your skype comment!!
No sirry I do not have a skype account setup!
0
 
LVL 5

Expert Comment

by:dbardbar
ID: 17130733
Could you perhaps install it?
I am still not clear on a few things, and I feel it would be much quicker that way.
0
 

Author Comment

by:clarkeyi
ID: 17130784
Hello

I finish at 4 today, so I will install it this evening ready for tomorrow

Thanks for your help

Regards

Ian
0
 
LVL 5

Expert Comment

by:dbardbar
ID: 17130801
OK, great.
My timezone is GMT+3
0
 
LVL 4

Assisted Solution

by:imreble1
imreble1 earned 500 total points
ID: 17268620
Well dbardbar explain what was happening here Clark. Anti-spoofing you have multiple external interfaces. Two options that won't affect production traffic.

1.make the DMZ interface Internal
2.Turn anti-spoofing off

RDC
Fishnetsecurity.com
0

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Watch the video to learn how one can deal with PST file corruption issue with an outstanding Kernel for Outlook PST Repair Tool easily. Using this tool, non-technical users can swiftly perform the repair process to restore their essential data witho…

606 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question