Establishing SIC communication thru PIX firewall?

Answered Question
Sep 25th, 2008
User Badges:

Hello,

Hopefully, this is the right forum to post this message. If not, I apologize.


My setup:

InternalFW: PIX515e(v6.3)

VPN box: Connectra(Checkpoint)

VPN box to be managed by the SmartCenter server(Checkpoint)


I am trying to establish communication between the SmartCenter server (which is in DMZ1) and the Connectra Box(which is in DMZ2) thru the PIX firewall.

I NAT'd the connectra box DMZ2 IP to a DMZ1 IP where the Smartcenter resides. Then i implemented a DMZ1 ACL for the SmartCenter to access the Connectra over any port. I get hits on the access-list, but no connection.


SmartCenter DMZ1 IP:10.10.1.10/24

Connectra DMZ2 IP:10.10.2.11/24


static (dmz2,dmz1) 10.10.1.11 10.10.2.11 netmask 255.255.255.255 0 0

access-list acl_dmz1 permit tcp host 10.10.1.10 host 10.10.1.11


Just to see if i had set it up correctly, I configured the connectra and smartcenter on the same DMZ and it worked. I just can't get it to work thru the PIX.


Does anyone have a similiar setup and ran across the same issues?


Thank you,

-Lee

Correct Answer by cisco24x7 about 8 years 6 months ago

I have some experiences with Checkpoint so hopefully

I can provide you with some advices on this.


SIC= Secure Internal Communication. Basically you enter

the Activation key (one time password) on the Connectra

and when you create a Checkpoint connectra on the SmartDashboard,

you enter the same Activation key on that object.


What you're trying to do will NOT work with NAT because SIC does

NOT work with NAT, UNLESS you are doing this through a Checkpoint

Firewall.


If you run "fw monitor" on both the Connectra and the SmartCenter

Server, and use Ethereal to look at the output, you will clear

see that SIC uses Checkpoint Internal Certificate for Secure

Internal Communication. It will NOT work through NAT unless

you have a Checkpoint firewall in between the Connectra and

the SmartCenter.


Your workaround is NOT to NAT between the SmartCenter and

the Connectra.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
suschoud Thu, 09/25/2008 - 12:02
User Badges:
  • Gold, 750 points or more

what kind of traffic are you passing between these boxes?



You have opened tcp.

Do you need to open udp 500,gre,udp 4500 too ( usually needed for ipsec vpn )


Also,add the inspection for ipsec-passthrough too.



policy-map global_policy

class inspection_default

inspect ipsec-passthrough



exit



exit




Do rate if helpful



Regards,

Sushil

lalcantara Thu, 09/25/2008 - 13:00
User Badges:

Hi Sushil,


Thanks for your reply. I am passing TCP traffic over port 18191 between the two boxes.

VPN traffic does not play a role yet in this situation as I am simply just trying to have one box on a DMZ communicate to another box on another DMZ for management purposes only.


Here are my current rules on the PIX:(I also opened up UDP just incase)


SmartCenter DMZ1 IP:10.10.1.10/24

Connectra DMZ2 IP:10.10.2.11/24


static (dmz2,dmz1) 10.10.1.11 10.10.2.11 netmask 255.255.255.255 0 0

access-list acl_dmz1 permit tcp host 10.10.1.10 host 10.10.1.11

access-list acl_dmz1 permit udp host 10.10.1.10 host 10.10.1.11


Thanks,

-Lee



Correct Answer
cisco24x7 Thu, 09/25/2008 - 13:40
User Badges:
  • Silver, 250 points or more

I have some experiences with Checkpoint so hopefully

I can provide you with some advices on this.


SIC= Secure Internal Communication. Basically you enter

the Activation key (one time password) on the Connectra

and when you create a Checkpoint connectra on the SmartDashboard,

you enter the same Activation key on that object.


What you're trying to do will NOT work with NAT because SIC does

NOT work with NAT, UNLESS you are doing this through a Checkpoint

Firewall.


If you run "fw monitor" on both the Connectra and the SmartCenter

Server, and use Ethereal to look at the output, you will clear

see that SIC uses Checkpoint Internal Certificate for Secure

Internal Communication. It will NOT work through NAT unless

you have a Checkpoint firewall in between the Connectra and

the SmartCenter.


Your workaround is NOT to NAT between the SmartCenter and

the Connectra.



lalcantara Thu, 09/25/2008 - 14:07
User Badges:

Thanks David,

This sheds a lot of light now on our design.

Since I also could not get it to work thru a direct ACL(no NAT), I guess i have to either put the two boxes on the same segment or as you implied get e new firewall :-). I think this was a question more towards Checkpoint, but I appreciate the response.


Thanks,

- Lee


cisco24x7 Thu, 09/25/2008 - 16:25
User Badges:
  • Silver, 250 points or more

Basically your design should include a VLAN

network design just for managing these

devices. There should be absolutely NO NAT

in this VLAN or Checkpoint SIC will complain.


Putting the SmartCenter and the Connectra on

the same network is a BAD idea.


Good luck to you.

Actions

This Discussion