Solved: Establishing SIC communication thru PIX firewall?

lalcantara · ‎09-25-2008

Hello,

Hopefully, this is the right forum to post this message. If not, I apologize.

My setup:

InternalFW: PIX515e(v6.3)

VPN box: Connectra(Checkpoint)

VPN box to be managed by the SmartCenter server(Checkpoint)

I am trying to establish communication between the SmartCenter server (which is in DMZ1) and the Connectra Box(which is in DMZ2) thru the PIX firewall.

I NAT'd the connectra box DMZ2 IP to a DMZ1 IP where the Smartcenter resides. Then i implemented a DMZ1 ACL for the SmartCenter to access the Connectra over any port. I get hits on the access-list, but no connection.

SmartCenter DMZ1 IP:10.10.1.10/24

Connectra DMZ2 IP:10.10.2.11/24

static (dmz2,dmz1) 10.10.1.11 10.10.2.11 netmask 255.255.255.255 0 0

access-list acl_dmz1 permit tcp host 10.10.1.10 host 10.10.1.11

Just to see if i had set it up correctly, I configured the connectra and smartcenter on the same DMZ and it worked. I just can't get it to work thru the PIX.

Does anyone have a similiar setup and ran across the same issues?

Thank you,

-Lee

cisco24x7 · ‎09-25-2008

I have some experiences with Checkpoint so hopefully

I can provide you with some advices on this.

SIC= Secure Internal Communication. Basically you enter

the Activation key (one time password) on the Connectra

and when you create a Checkpoint connectra on the SmartDashboard,

you enter the same Activation key on that object.

What you're trying to do will NOT work with NAT because SIC does

NOT work with NAT, UNLESS you are doing this through a Checkpoint

Firewall.

If you run "fw monitor" on both the Connectra and the SmartCenter

Server, and use Ethereal to look at the output, you will clear

see that SIC uses Checkpoint Internal Certificate for Secure

Internal Communication. It will NOT work through NAT unless

you have a Checkpoint firewall in between the Connectra and

the SmartCenter.

Your workaround is NOT to NAT between the SmartCenter and

the Connectra.

View solution in original post

suschoud · ‎09-25-2008

what kind of traffic are you passing between these boxes?

You have opened tcp.

Do you need to open udp 500,gre,udp 4500 too ( usually needed for ipsec vpn )

Also,add the inspection for ipsec-passthrough too.

policy-map global_policy

class inspection_default

inspect ipsec-passthrough

exit

Do rate if helpful

Regards,

Sushil

lalcantara · ‎09-25-2008

Hi Sushil,

Thanks for your reply. I am passing TCP traffic over port 18191 between the two boxes.

VPN traffic does not play a role yet in this situation as I am simply just trying to have one box on a DMZ communicate to another box on another DMZ for management purposes only.

Here are my current rules on the PIX:(I also opened up UDP just incase)

SmartCenter DMZ1 IP:10.10.1.10/24

Connectra DMZ2 IP:10.10.2.11/24

static (dmz2,dmz1) 10.10.1.11 10.10.2.11 netmask 255.255.255.255 0 0

access-list acl_dmz1 permit tcp host 10.10.1.10 host 10.10.1.11

access-list acl_dmz1 permit udp host 10.10.1.10 host 10.10.1.11

Thanks,

-Lee

cisco24x7 · ‎09-25-2008

I have some experiences with Checkpoint so hopefully

I can provide you with some advices on this.

SIC= Secure Internal Communication. Basically you enter

the Activation key (one time password) on the Connectra

and when you create a Checkpoint connectra on the SmartDashboard,

you enter the same Activation key on that object.

What you're trying to do will NOT work with NAT because SIC does

NOT work with NAT, UNLESS you are doing this through a Checkpoint

Firewall.

If you run "fw monitor" on both the Connectra and the SmartCenter

Server, and use Ethereal to look at the output, you will clear

see that SIC uses Checkpoint Internal Certificate for Secure

Internal Communication. It will NOT work through NAT unless

you have a Checkpoint firewall in between the Connectra and

the SmartCenter.

Your workaround is NOT to NAT between the SmartCenter and

the Connectra.

lalcantara · ‎09-25-2008

Thanks David,

This sheds a lot of light now on our design.

Since I also could not get it to work thru a direct ACL(no NAT), I guess i have to either put the two boxes on the same segment or as you implied get e new firewall :-). I think this was a question more towards Checkpoint, but I appreciate the response.

Thanks,

- Lee

cisco24x7 · ‎09-25-2008

Basically your design should include a VLAN

network design just for managing these

devices. There should be absolutely NO NAT

in this VLAN or Checkpoint SIC will complain.

Putting the SmartCenter and the Connectra on

the same network is a BAD idea.

Good luck to you.

lalcantara · ‎09-26-2008

Got it! Thanks again.