Solved

Using a VPN on the Trusted from the DMZ

Posted on 2010-09-07
11
1,024 Views
Last Modified: 2013-11-16
Hi all,
I know this can be a dummy's question, but I would like to see if it is possible to find a workaround before to invoke the external provider...

I have a Watchguard running Fireware 10 on my network, and a VNP between the Trusted (10.10.10.0) and the external provider (213.X.X.X). Inside the network we use the VPN to connect a specific software to a SQL 2005 database engine.

I would like to use the same remote database accessing from another DMZ (172.10.10.0).
On the firewall I've created a new rule to address the requests started from 172.10.10.10 to the external provider's IP (213.X.X.X).

It seems (and for sure it is correct) that the traffic is directed trought internet, and not using the VPN.

There is any way to tell the firebox to use the VPN?

Thanks a lot for your advice!

A.
0
Comment
Question by:candrea71
  • 5
  • 5
11 Comments
 
LVL 20

Expert Comment

by:woolnoir
Comment Utility
Im not sure the route for the DBconnection should terminate at the providers external IP ? check the VPN tunnel connection and see if you have a route for any traffic destined for the external providers network, have a check what the GW for that route is, and make sure you have the same set on the FW box for any traffic coming from the DMZ network.

Your routing is correctly identifying the 213 address as public, and i dont think you should change that, as it could effect the site<->VPN

We would needa bit more detail about the structure of the network around the DMZ to know how to make the configuraton changes.
0
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
Please provide some details on the VPN implemented by the service provider; does VPN start after the packets are NATted by firebox; if yes then any machine accessing internet [on trust or optional] would be able to get on the VPN.
If service provider has put some device on the trust network which is used for VPN; then for VPN both ends should know that the packet needs to be encrypted and decrypted. And in this case optional network needs to be configured on both ends.

Thank you.
0
 

Author Comment

by:candrea71
Comment Utility
Hi woolnoir,
you're right...the VPN tunnel connection route to a different IP of the provider that stay on the same subnet of tre IP of the database.
In the second period you ask me to check the gateway for the route, and put on the Fiebox as default gateway... correct?
I really don't know where to put this information on the Firebox, at least not in the Policy Manager -> Network _> Configuration...
Also I tested to ping the VPN gateway and the external database IP from the DMZ, with no reply (It surely works when done in the trusted).
What type of information can be usefull to archive the goal of letting traffing bypass the trusted and reach the VPN?

Hi dpk_wal,
ask the provider to adapt the VPN settings to allow traffic from another network is exactly what i prefeir not to do... I mean the best for me would be to find a good workaround to allow the traffic generated by the option to reach the external provider, passing trought the trusted.
If it is posseble in security also I mean :)))

THANKS A LOT FOR YOUR SUGGESTIONS
it seems to me the VPN start when there is traffic,
0
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
From DMZ you should be able to ping the VPN gateway and external database and also connect to the internet; please ensure that dynamic NAT is configured.

By default, firebox allows dynamic NAT from all private IP:
    *  192.168.0.0/16 – Any-External
    * 172.16.0.0/12 – Any-External
    * 10.0.0.0/8 – Any-External
If optional network is not on any of the subnets above, then proceed as below:
In Policy Manager go to Network -> NAT; Dynamic NAT tab; Add; from Optional; to External; click OK save to firebox.

With dynamic NAT, there should be no need to configure anything at ISP end.

Thank you.
0
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
Also, forgot to update that I would be responding next only on Monday 13th Sep.

Thank you.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:candrea71
Comment Utility
Hi dpk_wal,
the DMZ has pubblic addresses, something like 83.103.x.x.
This is the reason why I tested the second solution (Policy Manager -> Network -> NAT -> Dynamic NAT) but no luck...
Tell I there are some information needed...
THANKS
0
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
Can you update what entries you have under Dynamic NAT; you should have something like:
optional->external OR optional->external all

Thank you.
0
 

Author Comment

by:candrea71
Comment Utility
In the rule -> advantage tab -> i have the flag on dynamic NAT and tested both 'Use Network NAT settings' and 'All traffic on this policy' (tryed also to masquerate the IP with a trusted one using the 'set source IP' flag).
On the rule -> Policy ->To I also tested to put the Provider's tunnel as destination..
No luck :(
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
Comment Utility
Sorry I should have been elaborate with my steps.

Please go to Policy Manager->Setup->NAT->Dynamic NAT; here click Add and add entry as:
Any-Optional->Any-External or Any [try both one by one].

For the rule; leave the settings on:
Advanced->NAT tab; 1-to-1 NAT and dynamic NAT should be checked; and under dynamic NAT "Use Network NAT Settings".

Please implement and update.

Thank you.
0
 

Author Comment

by:candrea71
Comment Utility
Perfect, thanks a lot!!!
0
 

Author Closing Comment

by:candrea71
Comment Utility
perfect!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

In this article we will get to know that how can we recover deleted data if it happens accidently. We really can recover deleted rows if we know the time when data is deleted by using the transaction log.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now