Solved

bypassiing_firewalll

Posted on 2010-11-26
18
366 Views
Last Modified: 2012-06-27
I have been having a major connection problem to a server using VPN.
the company firewall is checkpoint NGX and i use checkpoint vpn1 secureremote but after i connect to vpn gateway at remote site, the connection to other servers at that remote site does not work.

I was thinking of bypassing the company firewall. I have heard that i can create an ssh tunnel directly from my pc to vpn gateway that can bypass the company firewall.

would this work? would ijust change the default gateway which is where the frirewall is and use my own machine.

how do i do that?
0
Comment
Question by:sam15
  • 9
  • 8
18 Comments
 
LVL 68

Expert Comment

by:Qlemo
ID: 34221542
This is  a configuration failure of the CP1 firewall. You should not try to circumvent that, instead change the configuration.
If it is not a configuration failure, it is intentional, and you are not allowed to circumvent that restriction.
0
 

Author Comment

by:sam15
ID: 34222198
You mean on firewall or my client?
The netowrk team has not been able to figure out anything. They create an exception for my ip address so it wont enforce anything and that even did not work.

Can you elaborate more on how you change configuration and how you explain the ip exception not working
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 34222241
Configuration is completely done at the firewall, which then sends policies to your client allowing for access to protected resources. I cannot tell what they need to configure, but you can have a view into your client settings while connected. That should show if the client has a protected tunnel to the remote site for the necessary IPs you are trying to reach.
Is that an issue only applying to some or all remote machines? That is, are you only able to establish the VPN connection, and nothing more?
0
 

Author Comment

by:sam15
ID: 34222339
yes, it only happens with accessing servers over VPN.
Connection to the VPN gateway works fine though.
I am the only one using VPN on that netowrk so I am the only one with issues.

Are you saying the VPN-1 checkpoint secuerremote client settins are set by the firewall at my company everytime i connect or are they set by the VON server at the remote client location.

The way it works
laptop - > local company firewall --> WAN--> client VPN gateway--->database server.

each has different ip address.

when i connect from home everything works fine. from work I keep getting timeouts when i try to connect to the database server.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 34222353
I think it's getting more clear now. You are behind a CP-1, and try to connect to a DB server behind another VPN gateway?
0
 

Author Comment

by:sam15
ID: 34222495
yes my client has CP -1. My company has a gateway/firewall that i go through. The VPN server is at client remote site and database server is at their location.
I can connect fine to that VPN server but then after tunnel is created the connection to db server or any other server there does not work on that tunnel. The firewall guys opened up UDP 259 and connectin worked for a few days. Then same problem again. They created an expcetion on firewall for my ip and it worked for 1 day then same problem. what do you think is going on.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 34222548
If both devices are CP-1s, your company firewall might get confused by the traffic, thinking it needs to act itself on the VPN.

The best option is to try to configure a site-2-site VPN between both CP-1s. That requires a different setup on both sides. The pro is that the CP-1 is managing all VPN traffic. The con is that your admins need to apply security rules, so no backward access is possible (the client could else have arbitrary access to your network).

If you are bound to use the client (because the client site does not allow for or not know how to configure a site-2-site VPN), best option is to use a free public IP (if available - requires that your ISP has assigned a block of public IP addresses, not only a single address), and map that to your PC.
0
 

Author Comment

by:sam15
ID: 34222564
But if there is an exception for my ip in the firewall, would it still be confiused? Should not this be like there is no firewall?

Unfortunately we cant change anything on the client site. very complicated request and wont be approved.

What do you mean by using a free public IP. How is that different than using the current assigned IP on the network? Where do i get it from. The ISP is the company ISP and I assume they gave them a range of IP they can use.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 34222599
But if there is an exception for my ip in the firewall, would it still be confiused? Should not this be like there is no firewall?
No, it is not that easy. Outgoing traffic might be ok, but the returning traffic might be intercepted and thought to apply to the CP itself.

Regarding using another public IP: It is very different from using a private IP. Your private IP is mapped to the single public IP your CP-1 uses at the moment - any traffic arriving with that public IP might be another CP client trying to connect to your company, or your own traffic. A stateful firewall should know of the difference, but no implementation is flawless, and hence it might get confused, not forwarding VPN traffic to you.
If you use another public IP, no confusion can arrise. All traffic from or to that public IP is belonging to your PC.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:sam15
ID: 34223205
it seems private ip is not even routable to the public internet.

http://www.debianadmin.com/private-and-public-ip-addresses-explained.html


But how would  explain that today connection works and tomorrow it stops if no config changes has taken place  as they say on the firewall?

Shall i ask them to create an expcetion for the vpn gateway or database server for incoming traffic too?

How do i implement this public ip solution?  I think you are saying that there would be no rerouting from public to private which might be causing some issues.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 34223222
Could this be a DNS issue?

If the databases host name is a private name within the name space of the remote company then you may not be able to resolve the name.

Now, it may work intermittently because of they way MS implemented DNS resolution on Windows.

If you know the IP address of the DB server and the host name you may want to add an entry to your computer's hosts file and see if that makes this more stable.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 34223323
If you use a 1:1 mapping of your private IP to a second public IP, there is still NAT and routing performed. But there is no port mapping (changing of source or destination port) applied. I cannot tell how the configuration has to be done - never configured a CP-1, only met the client.

Private IPs are not routable to the public Internet, that is 100% correct. That is why you always need a public IP, and that IP has to be assigned to you, so routing can be accomplished.

Exceptions for VPN gateway or any internal IPs would not help. The latter because the internal (private) IPs are not visible to the CP device at your site - siince your client is building the VPN tunnel, any traffic is encrypted, hiding the real addresses.
0
 

Author Comment

by:sam15
ID: 34223373
I am doing tnsping using ip address.

Do you see why i want to bypass the firewall completely.  I think i can create an ssh tunnel direty from my pc to von gateway which sould solve the CK-1 conflict.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 34223383
If you can do that, it is worth a try.
0
 

Author Comment

by:sam15
ID: 34223490
That was my original question. how can i do that technically or you cant discuss.

i am not sure if this link would expalin it but it sounds like i have to configure my VPN client or ipconfig to use my localhost as a gateway

http://www.youtube.com/watch?v=ngNdmB2WySc

0
 
LVL 68

Expert Comment

by:Qlemo
ID: 34223508
Unfortunately we cant change anything on the client site.
This excludes building any other VPN means to get into the remote gateway, including SSH tunneling. If the remote CP should terminate that SSH connection, it needs reconfiguration. For a tunnel in a tunnel you need at least one other reachable endpoint, like the DB server, which is not available.
The answer is hence no, you can't.
You can ask the other site  if they would allow for an OpenVPN tunnel between your PC and the database server - OpenVPN is a free SSL VPN using a proprietary protocol, so you need in OpenVPN on both sites.
0
 

Author Comment

by:sam15
ID: 34223519
They wont do it on the client side.
I can either try the publick IP if yo uare sure that works OR use my own wi-fi connection to laptop direct to the vpn gateway skipping the CK firewall altogether.

I tried blackberry and tether from home and seems to work with some headaches and connection is slow but after the connection is eastablished it seems very stable.
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
ID: 34223533
I'm sorry, but that are your only options:
use an alternative connection, as you originaly asked for, circumventing passing the company's firewall.
Force the client site to make some changes
Force your own CP guys to invest some knowledge in debugging the issue on the CP device.
Try the free ShrewNet VPN client, which should work with CP - maybe it is more reliable, but the odds are long.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now