Solved

Checkpoint R55 - Passing traffic via 2 external interfaces

Posted on 2006-07-15
19
875 Views
Last Modified: 2013-11-16
Hello

I have 2 firewalls. PIX - Permiter  and Checkpoint - Internal FW
I am trying to update the PIX clock using NTP. The NTP device is located in the Checkpoint DMZ through interface 3
The PIX tries to go through the Checkpoint External interface (Int2) to get to the DMZ on int3 but it gets the error that it is dropped for going through 2 external interfaces.  The 2 interfaces are both configured as external with antispoofing.  

I am wondering what other actions I need to do to successfully pass traffic through the Checkpoint external interface through to the DMZ interface which is also classed as external?

Cheers
 
0
Comment
Question by:clarkeyi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
19 Comments
 
LVL 10

Expert Comment

by:naveedb
ID: 17116560
You will need to open udp port 123 to allow incomming traffic on Checkpoint for your NTP device.

If the PIX has internet connectivity, you may use any public ntp server.
0
 

Author Comment

by:clarkeyi
ID: 17116840
Hello

NTP is open on the firewall. So this is OK.  
I have read on the web that if traffic cannot pass between 2 external interfaces then it may be a licensing issue.  Does this sound right?
0
 
LVL 5

Accepted Solution

by:
dbardbar earned 125 total points
ID: 17117243
True, traffic is not allowed between two EXTERNAL interfaces.
But, you don't have 2 external interfaces, do you?

The DMZ interface should not be defined as an external interface in the Anti-Spoofing definitions. It should be defined "Internal" in the AS definitions.

The way your are working now is not very secure. efectivly allowing someone to send spoofed packets from the DMZ, as if they are coming from some external internet IP.

0
Raise the IQ of Your IT Alerts

From IT major incidents to manufacturing line slowdowns, every business process generates insights that need to reach the people required to take action. You need a platform that integrates with your business tools to create fully enabled DevOps toolchains.

You need xMatters.

 

Author Comment

by:clarkeyi
ID: 17118148
Thanks for the advice.  The consultant who set this up never defined why it was classed as External.
In the DMZ is where we terminate remote access (There is a VPN concentrator here)
Does this still mean I should amend the config of the interface as internal?. If so I will test that scenario

Cheers for the advice
0
 
LVL 5

Expert Comment

by:dbardbar
ID: 17118167
I would guess that your VPN con. is accepting encrypted traffic, and then sends it over with either it's own IP, or a range of predefined IPs.

If it is it's own IP, then you should definitly do what I suggested.
If it is a range of IPs, then if the range belongs to the subnet of the DMZ, there's shouldn't be a problem with what I suggested.

Otherwise, you'll need to make a slightly different configuration, to allow those IPs. It might be that this is indeed the case and that is the reason your consultant configured it this way - because it is simpler, and because it kind of works. But, that's not the proper way to config it.

Please send over more topology information if you need further assitance.
0
 

Author Comment

by:clarkeyi
ID: 17120306
No problem

The CP  Firewall config is definded as:
Internal
External (Leads to the PIX and out)
External (Leads to a DMZ)

The PIX has 3 DMZ's off it.  One of these include a VPN concentrator which has a switch between this and a RSA ACE server which is classed as the DMZ off the Checkpoint firewall.  
Once remote users are terminanted at the VPN, they authenticate their RSA token and get a defined DHCP address for access through the CP DMZ interface and onto the LAN

                                                  PIX
                                                                       VPN Concentrator
                                                                                 
                                                                              switch

                                                                         RSA ACE server


                                             Checkpoint

Hope this adds a bit more info

Cheers
0
 
LVL 5

Expert Comment

by:dbardbar
ID: 17120318
Sorry, but it is not completly clear to me what is the exact topology.

Could you perhaps draw a diagram? With IPs and subnets?
0
 

Author Comment

by:clarkeyi
ID: 17130067
Hello

Hope this may help now

Thanks

                                   PIX
            
            (172.28.5.2/29)      

                 ¦
                 ¦
                        DMZ3            (172.28.5.3/29)
            switch-------------------------------------VPN Concentrator
                 ¦
                     ¦                              ¦
                 ¦                              SWITCH
                 ¦                  DMZ4            ¦
                 ¦external
            (172.28.5.1/29)---------------RSA Server (172.24.5.7/25)
            CHECKPOINT       external            (NTP Server)
                 ¦
            LAN
0
 

Author Comment

by:clarkeyi
ID: 17130093
This one should be a bit clearer

                                     PIX
            
            (172.28.5.2/29)      

                 ¦
                 ¦
                                            DMZ3          (172.28.5.3/29)
            switch-------------------------------------           VPN Concentrator
                 ¦
                     ¦                              ¦
                 ¦                                 SWITCH
                 ¦                  DMZ4            ¦
                 ¦external
            (172.28.5.1/29)-------external--------             RSA Server (172.24.5.7/25)
            CHECKPOINT                                          (NTP Server)
                 ¦
            LAN
0
 
LVL 5

Expert Comment

by:dbardbar
ID: 17130128
Why is there a switch between the RSA server on 172.24.5.7/25 and the VPN on 172.28.5.3/29?
Are they talking to each other directly? That is, passing traffic between each other not passing the CP firewall?

Do you have Skype? If so, can you please contact me there, usernmae dbardbar? It will work a lot quicker.
0
 

Author Comment

by:clarkeyi
ID: 17130717
The VPN Conc. and the RSA do talk to each other for remote user access. Once authenticated on the RSA server users can then access the internal LAN.
No skype - this is just used for remote access
0
 

Author Comment

by:clarkeyi
ID: 17130722
Sorry, just read your skype comment!!
No sirry I do not have a skype account setup!
0
 
LVL 5

Expert Comment

by:dbardbar
ID: 17130733
Could you perhaps install it?
I am still not clear on a few things, and I feel it would be much quicker that way.
0
 

Author Comment

by:clarkeyi
ID: 17130784
Hello

I finish at 4 today, so I will install it this evening ready for tomorrow

Thanks for your help

Regards

Ian
0
 
LVL 5

Expert Comment

by:dbardbar
ID: 17130801
OK, great.
My timezone is GMT+3
0
 
LVL 4

Assisted Solution

by:imreble1
imreble1 earned 125 total points
ID: 17268620
Well dbardbar explain what was happening here Clark. Anti-spoofing you have multiple external interfaces. Two options that won't affect production traffic.

1.make the DMZ interface Internal
2.Turn anti-spoofing off

RDC
Fishnetsecurity.com
0

Featured Post

Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question