Solved

Using a VPN on the Trusted from the DMZ

Posted on 2010-09-07
11
1,035 Views
Last Modified: 2013-11-16
Hi all,
I know this can be a dummy's question, but I would like to see if it is possible to find a workaround before to invoke the external provider...

I have a Watchguard running Fireware 10 on my network, and a VNP between the Trusted (10.10.10.0) and the external provider (213.X.X.X). Inside the network we use the VPN to connect a specific software to a SQL 2005 database engine.

I would like to use the same remote database accessing from another DMZ (172.10.10.0).
On the firewall I've created a new rule to address the requests started from 172.10.10.10 to the external provider's IP (213.X.X.X).

It seems (and for sure it is correct) that the traffic is directed trought internet, and not using the VPN.

There is any way to tell the firebox to use the VPN?

Thanks a lot for your advice!

A.
0
Comment
Question by:candrea71
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
11 Comments
 
LVL 20

Expert Comment

by:woolnoir
ID: 33617587
Im not sure the route for the DBconnection should terminate at the providers external IP ? check the VPN tunnel connection and see if you have a route for any traffic destined for the external providers network, have a check what the GW for that route is, and make sure you have the same set on the FW box for any traffic coming from the DMZ network.

Your routing is correctly identifying the 213 address as public, and i dont think you should change that, as it could effect the site<->VPN

We would needa bit more detail about the structure of the network around the DMZ to know how to make the configuraton changes.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 33617682
Please provide some details on the VPN implemented by the service provider; does VPN start after the packets are NATted by firebox; if yes then any machine accessing internet [on trust or optional] would be able to get on the VPN.
If service provider has put some device on the trust network which is used for VPN; then for VPN both ends should know that the packet needs to be encrypted and decrypted. And in this case optional network needs to be configured on both ends.

Thank you.
0
 

Author Comment

by:candrea71
ID: 33626477
Hi woolnoir,
you're right...the VPN tunnel connection route to a different IP of the provider that stay on the same subnet of tre IP of the database.
In the second period you ask me to check the gateway for the route, and put on the Fiebox as default gateway... correct?
I really don't know where to put this information on the Firebox, at least not in the Policy Manager -> Network _> Configuration...
Also I tested to ping the VPN gateway and the external database IP from the DMZ, with no reply (It surely works when done in the trusted).
What type of information can be usefull to archive the goal of letting traffing bypass the trusted and reach the VPN?

Hi dpk_wal,
ask the provider to adapt the VPN settings to allow traffic from another network is exactly what i prefeir not to do... I mean the best for me would be to find a good workaround to allow the traffic generated by the option to reach the external provider, passing trought the trusted.
If it is posseble in security also I mean :)))

THANKS A LOT FOR YOUR SUGGESTIONS
it seems to me the VPN start when there is traffic,
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 32

Expert Comment

by:dpk_wal
ID: 33635107
From DMZ you should be able to ping the VPN gateway and external database and also connect to the internet; please ensure that dynamic NAT is configured.

By default, firebox allows dynamic NAT from all private IP:
    *  192.168.0.0/16 – Any-External
    * 172.16.0.0/12 – Any-External
    * 10.0.0.0/8 – Any-External
If optional network is not on any of the subnets above, then proceed as below:
In Policy Manager go to Network -> NAT; Dynamic NAT tab; Add; from Optional; to External; click OK save to firebox.

With dynamic NAT, there should be no need to configure anything at ISP end.

Thank you.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 33635111
Also, forgot to update that I would be responding next only on Monday 13th Sep.

Thank you.
0
 

Author Comment

by:candrea71
ID: 33636525
Hi dpk_wal,
the DMZ has pubblic addresses, something like 83.103.x.x.
This is the reason why I tested the second solution (Policy Manager -> Network -> NAT -> Dynamic NAT) but no luck...
Tell I there are some information needed...
THANKS
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 33659102
Can you update what entries you have under Dynamic NAT; you should have something like:
optional->external OR optional->external all

Thank you.
0
 

Author Comment

by:candrea71
ID: 33660268
In the rule -> advantage tab -> i have the flag on dynamic NAT and tested both 'Use Network NAT settings' and 'All traffic on this policy' (tryed also to masquerate the IP with a trusted one using the 'set source IP' flag).
On the rule -> Policy ->To I also tested to put the Provider's tunnel as destination..
No luck :(
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
ID: 33660502
Sorry I should have been elaborate with my steps.

Please go to Policy Manager->Setup->NAT->Dynamic NAT; here click Add and add entry as:
Any-Optional->Any-External or Any [try both one by one].

For the rule; leave the settings on:
Advanced->NAT tab; 1-to-1 NAT and dynamic NAT should be checked; and under dynamic NAT "Use Network NAT Settings".

Please implement and update.

Thank you.
0
 

Author Comment

by:candrea71
ID: 33735667
Perfect, thanks a lot!!!
0
 

Author Closing Comment

by:candrea71
ID: 33735685
perfect!
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article I will describe the Backup & Restore method as one possible migration process and I will add the extra tasks needed for an upgrade when and where is applied so it will cover all.
This article explains how to reset the password of the sa account on a Microsoft SQL Server.  The steps in this article work in SQL 2005, 2008, 2008 R2, 2012, 2014 and 2016.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question