[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1039
  • Last Modified:

Using a VPN on the Trusted from the DMZ

Hi all,
I know this can be a dummy's question, but I would like to see if it is possible to find a workaround before to invoke the external provider...

I have a Watchguard running Fireware 10 on my network, and a VNP between the Trusted (10.10.10.0) and the external provider (213.X.X.X). Inside the network we use the VPN to connect a specific software to a SQL 2005 database engine.

I would like to use the same remote database accessing from another DMZ (172.10.10.0).
On the firewall I've created a new rule to address the requests started from 172.10.10.10 to the external provider's IP (213.X.X.X).

It seems (and for sure it is correct) that the traffic is directed trought internet, and not using the VPN.

There is any way to tell the firebox to use the VPN?

Thanks a lot for your advice!

A.
0
candrea71
Asked:
candrea71
  • 5
  • 5
1 Solution
 
woolnoirCommented:
Im not sure the route for the DBconnection should terminate at the providers external IP ? check the VPN tunnel connection and see if you have a route for any traffic destined for the external providers network, have a check what the GW for that route is, and make sure you have the same set on the FW box for any traffic coming from the DMZ network.

Your routing is correctly identifying the 213 address as public, and i dont think you should change that, as it could effect the site<->VPN

We would needa bit more detail about the structure of the network around the DMZ to know how to make the configuraton changes.
0
 
dpk_walCommented:
Please provide some details on the VPN implemented by the service provider; does VPN start after the packets are NATted by firebox; if yes then any machine accessing internet [on trust or optional] would be able to get on the VPN.
If service provider has put some device on the trust network which is used for VPN; then for VPN both ends should know that the packet needs to be encrypted and decrypted. And in this case optional network needs to be configured on both ends.

Thank you.
0
 
candrea71Author Commented:
Hi woolnoir,
you're right...the VPN tunnel connection route to a different IP of the provider that stay on the same subnet of tre IP of the database.
In the second period you ask me to check the gateway for the route, and put on the Fiebox as default gateway... correct?
I really don't know where to put this information on the Firebox, at least not in the Policy Manager -> Network _> Configuration...
Also I tested to ping the VPN gateway and the external database IP from the DMZ, with no reply (It surely works when done in the trusted).
What type of information can be usefull to archive the goal of letting traffing bypass the trusted and reach the VPN?

Hi dpk_wal,
ask the provider to adapt the VPN settings to allow traffic from another network is exactly what i prefeir not to do... I mean the best for me would be to find a good workaround to allow the traffic generated by the option to reach the external provider, passing trought the trusted.
If it is posseble in security also I mean :)))

THANKS A LOT FOR YOUR SUGGESTIONS
it seems to me the VPN start when there is traffic,
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
dpk_walCommented:
From DMZ you should be able to ping the VPN gateway and external database and also connect to the internet; please ensure that dynamic NAT is configured.

By default, firebox allows dynamic NAT from all private IP:
    *  192.168.0.0/16 – Any-External
    * 172.16.0.0/12 – Any-External
    * 10.0.0.0/8 – Any-External
If optional network is not on any of the subnets above, then proceed as below:
In Policy Manager go to Network -> NAT; Dynamic NAT tab; Add; from Optional; to External; click OK save to firebox.

With dynamic NAT, there should be no need to configure anything at ISP end.

Thank you.
0
 
dpk_walCommented:
Also, forgot to update that I would be responding next only on Monday 13th Sep.

Thank you.
0
 
candrea71Author Commented:
Hi dpk_wal,
the DMZ has pubblic addresses, something like 83.103.x.x.
This is the reason why I tested the second solution (Policy Manager -> Network -> NAT -> Dynamic NAT) but no luck...
Tell I there are some information needed...
THANKS
0
 
dpk_walCommented:
Can you update what entries you have under Dynamic NAT; you should have something like:
optional->external OR optional->external all

Thank you.
0
 
candrea71Author Commented:
In the rule -> advantage tab -> i have the flag on dynamic NAT and tested both 'Use Network NAT settings' and 'All traffic on this policy' (tryed also to masquerate the IP with a trusted one using the 'set source IP' flag).
On the rule -> Policy ->To I also tested to put the Provider's tunnel as destination..
No luck :(
0
 
dpk_walCommented:
Sorry I should have been elaborate with my steps.

Please go to Policy Manager->Setup->NAT->Dynamic NAT; here click Add and add entry as:
Any-Optional->Any-External or Any [try both one by one].

For the rule; leave the settings on:
Advanced->NAT tab; 1-to-1 NAT and dynamic NAT should be checked; and under dynamic NAT "Use Network NAT Settings".

Please implement and update.

Thank you.
0
 
candrea71Author Commented:
Perfect, thanks a lot!!!
0
 
candrea71Author Commented:
perfect!
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now