• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Checkpoint NG R55 and ISA 2004 Back-to-Back Configuration

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> Checkpoint NG R55 and ISA 2004 Back-to-Back Configuration Page: [1]
Login
Message << Older Topic   Newer Topic >>
Checkpoint NG R55 and ISA 2004 Back-to-Back Configuration - 6.Apr.2006 1:59:17 PM   
mokashif

 

Posts: 4
Joined: 6.Apr.2006
Status: offline
I am unable to connect my Checkpoint NG Edge firewall to my ISA 2004 Backend firewall. Here is the configuration detail.

Checkpoint NG R55 Edge Firewall on Windows 2000 AS

One Interface Configured as External Connected to Internet

One Interface Configured as Internal Connected Directly to ISA 2004 with IP add 192.168.2.1/24

A static route is added to point 192.168.1.0 network

route add 192.168.1.0 mask 255.255.255.0 192.168.2.2 -p

ISA 2004 BackEnd Firewall on Windows 2003 EE

One Interface Configured as External Connected to Checkpoint NG R55 With IP add 192.168.2.2/24 and default gateway 192.168.2.1 (Chekpoint firewall) 

One Interface Configured as Internal Connected to Internal network (192.168.1.0/24) with IP add 192.168.1.5/24 and no defaul gateway  

I am able to ping Checkpoint firewalls both interfaces and even internet sites from ISA 2004 and from Internal workastations but I am unable to ping from Checkpoint to ISA 2004 Internal Interface i.e. 192.168.1.5. and internal network even though I created Network relationship and access rute to allow ping traffic on ISA 2004.   
A starnge behaviour is that when I stop Checkpoit Firewall-1 service on windows 2000 machine the same machine able to ping ISA 2004 and internal network.

I dont know where is the problem i tried everything what could i do. I need help.

anybody knows the answer?



 



 

     

_____________________________

Shimmy
Post #: 1
RE: Checkpoint NG R55 and ISA 2004 Back-to-Back Configu... - 6.Apr.2006 5:36:49 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Shimmy,

What Network Rules do you have in place on the ISA firewall?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mokashif)
Post #: 2
RE: Checkpoint NG R55 and ISA 2004 Back-to-Back Configu... - 8.Apr.2006 7:23:41 AM   
mokashif

 

Posts: 4
Joined: 6.Apr.2006
Status: offline
 
Hi Tom

There are three rule in place on ISA 2004

    Relation    Source Network           Destination Network  
1-   Route       Local Host                  All Networks(and Local Host)
2-   NAT         Internal                      External
3-   Route       External                     Internal
-----------------------------------------------------------------

after continued attempt to solve the problem now I am able to connect Checkpoint firewall to ISA 2004 but i had to disable Anti-spoofing on Internal interface of checkpoint firewall. i think it is not a good solution as it will weak the security. To test that no security rule on check point is creating problem I placed only one rule on checpoint firewall as given below

Source  Dest VPN  Service Action Track  Install on       Time     
any      any   any   any     accept none   gateway       any

---------------------------------------------------------------------

I think now you have more clear picture

Thanks
Shimmy 














< Message edited by mokashif -- 8.Apr.2006 7:32:16 AM >


_____________________________

Shimmy

(in reply to tshinder)
Post #: 3
RE: Checkpoint NG R55 and ISA 2004 Back-to-Back Configu... - 9.Apr.2006 3:58:16 AM   
RAJP

 

Posts: 53
Joined: 11.Mar.2006
Status: offline
Any networks behind FW-1 must be defined in its "VPN Domain" setting. Go into the firewall object, topology section, and see what you have defined for the VPN Domain. I'm betting it's the "as defined by interface" setting (I can't remember the exact phraseology).

If it's set this way, then only the network that is reachable will be the one that's set on the firewall topology for the internal interface.

What you probably need to do is define a new Network Group in FW-1. You then need to define a network object for each subnet behind FW-1. Place each of these network objects into the network group you just created.

Now that the group is defined, go back into the topology section and change the VPN Domain to "manually defined" and select the network group you just created, save everything and push the policy.

You're seeing the anti-spoof drop because FW-1 does not know that the traffic coming from the internal network is part of the internal network. The above steps should fix it.

Ray

(in reply to mokashif)
Post #: 4
RE: Checkpoint NG R55 and ISA 2004 Back-to-Back Configu... - 10.Apr.2006 4:11:27 PM   
mokashif

 

Posts: 4
Joined: 6.Apr.2006
Status: offline
Hi Ray

Thank you very much for giving attention to my problem. you are right I made the very same topology misconfiguration mistake that most check point administrator made. Thank you to all off you who replied and gave attention.


Thanks again

shimmy  

_____________________________

Shimmy

(in reply to mokashif)
Post #: 5
RE: Checkpoint NG R55 and ISA 2004 Back-to-Back Configu... - 11.Apr.2006 1:40:39 AM   
RAJP

 

Posts: 53
Joined: 11.Mar.2006
Status: offline
Hey, great! For any future readers, although my explanation was correct for the FW-1 VPN Domain, it was incorrect for this problem. The fix is similar in that you have to create the same group, but you set it on the firewall object, topology section, for the internal interface.

Actually, if you're using Check Point remote access or site-to-site VPNs, you have to set them both. :-)

Ray

(in reply to mokashif)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> Checkpoint NG R55 and ISA 2004 Back-to-Back Configuration Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts