The problem you are having it is that you have "multiple ways" back to the DMZ zone.
One way to the DMZ is thru the Checkpoint firewall...(original setup) The second way back to the DMZ is thru your Cisco Concentrator internal interface. Either you simplify your connectivity routing by creating a second DMZ#2 for the Cisco Concentrator internal interface... so everything has route back thru the Checkpoint FW...only one way out. Or use some kind of routing protocol that can handle "multiple ways" such as BGP, OSPF, etc. Regards, Sal -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of . security Sent: Sunday, May 29, 2005 5:51 PM To: [email protected] Subject: Re: [FW-1] checkpoint | cisco concentrator [route issue?] Well thought this riddle was solved. Got the concentrator up and working in the DMZ. Both interfaces are responding to ICMP from inside my network & the public interface is accepting logins. However that's where things stop working, I can login to the concentrator from outside my network but that's it. I'm not able to reach anything inside my network. It appears traffic doesn't know how to reach the client. Better put I think I may have a return route issue. Just trying a few things I was able to apply a band aide using this route in the firewall It says traffic on 10.200.50.0 [internal subnet] use 192.168.50.50 [concentrator] private interface as a gateway 10.200.50.0/255.255.255.0 192.168.50.50 That route statement while partially effective makes the firewall inaccessible from inside my network. Thoughts?? I'm pretty close here & would really like to get this working! >From: Rob Schrack <[EMAIL PROTECTED]> >Reply-To: Mailing list for discussion of Firewall-1 ><[email protected]> >To: [email protected] >Subject: Re: [FW-1] checkpoint | cisco concentrator [design thoughts] >Date: Thu, 26 May 2005 19:34:42 -0400 > >Re: [FW-1] checkpoint | cisco concentrator [design thoughts]Authentication >is being provided via radius with an active directory backend. We tend to >use AD groups for employee/researcher types and individual accounts with >far more restrictive FW-1 rules for vendors and others. > >The whole idea was to keep the concentrator config as simple as possible. >All rules to limit user access are on the Checkpoint box. The link between >the concentrator & firewall is tapped, so we can also throw in a sniffer or >IDS box if we feel the need. > >My apologies for the tone of my original reply... I should know better than >to reply when exhausted. > >Rob > > > ----- Original Message ----- > From: Ray > To: [email protected] > Sent: Thursday, May 26, 2005 10:33 AM > Subject: Re: [FW-1] checkpoint | cisco concentrator [design thoughts] > > > Yes, correct, I didn't phrase that properly. One issue I would see with >your > method is that the external interface of the concentrator is still fully > exposed to the Internet. I feel better having Check Point's stateful > firewall in front of everything because, well, it is a firewall. > > With your method, how do you know that the traffic coming off the >internal > interface of the concentrator is authorized? Is there any way for you to > limit down the concentrator trafic by user or are you doing that on the > concentrator itself? > > Take care, > > Ray > > > > >From: Rob Schrack <[EMAIL PROTECTED]> > >Reply-To: Mailing list for discussion of Firewall-1 > ><[email protected]> > >To: [email protected] > >Subject: Re: [FW-1] checkpoint | cisco concentrator [design thoughts] > >Date: Thu, 26 May 2005 00:24:52 -0400 > > > >Re: [FW-1] checkpoint | cisco concentrator [design thoughts]Short >circuit > >around the firewall? That's not putting it in front, that's putting it >in > >parallel. > > > >Our 3030 is entirely in front of our firewall. It's external interface >is > >plugged into the same router as our IP530's external interface. It's > >internal interface is plugged INTO the IP530. That way I can filter > >inbound > >destinations & ports using the decrypted traffic. Plus I can do it >using > >the same FW-1 policy that I do for anything else trying to come in from >the > >Internet. > > > >Rob > >----- Original Message ----- > >From: Ray > >To: [email protected] > >Sent: Wednesday, May 25, 2005 11:12 PM > >Subject: Re: [FW-1] checkpoint | cisco concentrator [design thoughts] > > > > > >Nothing, repeat NOTHING, in my company is in front of a firewall. The > >question is not whether it should be behind a firewall, the question is >why > >it should be exposed to the Internet when it could be put behind a > >firewall. > >I had a 3030 concentrator behind CP for awhile and it worked fine. We >used > >UDP Encapsulation. We filtered everything hitting the concentrator to >make > >sure only the needed ports and protocols were allowed. Putting it in >front > >of the firewall = a potential short circuit around the firewall. A >small > >potential to be sure, but it's still there and does not need to be. > >Ray > >>From: ". security" <[EMAIL PROTECTED]> > >>Reply-To: Mailing list for discussion of Firewall-1 > >><[email protected]> > >>To: [email protected] > >>Subject: [FW-1] checkpoint | cisco concentrator [design thoughts] > >>Date: Wed, 25 May 2005 20:09:56 -0500 > >> > >>We are going over a new network design, and trying to determine if >this is > >>overkill. Is it necessary to put a Cisco concentrator behind a >firewall? > >>I > >>haven't been able to find a a lot of documentation indacting that it's > >>necessary. > >> > >>Here's the design we've come up with: > >>-public interface, located in the dmz statically NATd to a public >address > >>-private interface also located in the same DMZ but on a different >network > >>this interface is pointed towards the internal network. > >> > >> > >>internet > >> | > >>[firewall]-------------------------------------------------|DMZ > >> | | | > >> | public int [NATd] private int [faces back to >internal > >>net] > >> | > >>internal network > >> > >> > >> > >>thoughts? > >> > >>================================================= > >>To set vacation, Out-Of-Office, or away messages, > >>send an email to [EMAIL PROTECTED] > >>in the BODY of the email add: > >>set fw-1-mailinglist nomail > >>================================================= > >>To unsubscribe from this mailing list, > >>please see the instructions at > >>http://www.checkpoint.com/services/mailing.html > >>================================================= > >>If you have any questions on how to change your > >>subscription options, email > >>[EMAIL PROTECTED] > >>================================================= > >================================================= > >To set vacation, Out-Of-Office, or away messages, > >send an email to [EMAIL PROTECTED] > >in the BODY of the email add: > >set fw-1-mailinglist nomail > >================================================= > >To unsubscribe from this mailing list, > >please see the instructions at > >http://www.checkpoint.com/services/mailing.html > >================================================= > >If you have any questions on how to change your > >subscription options, email > >[EMAIL PROTECTED] > >================================================= > > > >================================================= > >To set vacation, Out-Of-Office, or away messages, > >send an email to [EMAIL PROTECTED] > >in the BODY of the email add: > >set fw-1-mailinglist nomail > >================================================= > >To unsubscribe from this mailing list, > >please see the instructions at > >http://www.checkpoint.com/services/mailing.html > >================================================= > >If you have any questions on how to change your > >subscription options, email > >[EMAIL PROTECTED] > >================================================= > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[EMAIL PROTECTED] >================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
