Something I'm thinking that might work, is exclude the SMC from the encryption domain.
I have not used them much, but I know you can create a group with exclusion and I'm thinking that if you already have a manually defined group for the VPN domain and create a new one that excludes the SMC from it, the firewall will not try to encrypt traffic from the SMC to the remote gateway and you can keep it right where it is right now. Hope this helps. On 8/14/07, cisco4ng <[EMAIL PROTECTED]> wrote: > > I think I see your problem. You're trying to manage the remote firewall > and > also have IPSec vpn between the two firewalls and that the SMC is > sitting > behind one of those firewalls. What you're trying to do will NOT work, > unless you're using "traditional mode" and not "simplified mode" vpn. > You're using simplified mode correct? If so, the firewall itself will > be > part of the encryption domain as well. That's not the case in > traditional mode. > > When you tried to ssh to the remote firewall from the SMC, it triggers > the vpn tunnel. that's why it will not work. Unless someone here have > a better idea, I just don't think what you're trying to achieve here > will work. > > I think the best solution is to put your SMC in the DMZ with public IP > address and route through the firewall. That way, you don't have to > worry about NAT and it is a much cleaner setup. > > The setup that you have, the SMC is also part of the encryption domain > with the remote managed firewall and I don't think SMC is designed to > work that way. > > > > Alan Choyna <[EMAIL PROTECTED]> wrote: > Everything is already as you defined it Cisco4ng. > > The SMC is NAT'd to an external IP, and l do have a rule allowing > full bi-directional traffic on both firewalls policies. > > l do not get the policy installing on the remote gateway which is great > news. > > When l try to connect to it from the SMC server l get the following error: > > Number: 38960 > Date: 14Aug2007 > Time: 8:55:57 > Product: VPN-1 Power/UTM > Interface: eth6 > Origin: fw1box-1 > Type: Log > Action: Drop > Protocol: tcp > Service: ssh (22) > Source: backup (10.1.1.3) > Destination: fw1dc2 (10.2.2.1) > Rule: 38 > NAT rule number: 149 > NAT additional rule number: 0 > Source Port: 44768 > Destination Key ID: 0x00000000 > XlateSrc: fw1box-cluster (11.222.333.211) > XlateSPort: 12075 > Encryption Scheme: IKE > VPN Peer Gateway: fw1dc2 (33.222.111.182) > Encryption Methods: ESP: AES-128 + MD5 > Community: suntimes_IDC > Information: encryption fail reason: > Packet is dropped because there is no valid SA - please refer to > solution sk19423 in SecureKnowledge Database for more information > > Do l need to create a VPN tunnel between the 2 firewalls as well for > other access? > > Thanks for the help so far. > > Alan > > > At 04:57 PM 8/13/2007, cisco4ng wrote: > >let me give you an example: > > > >smc--FW_A----Internet----FW_B > > > >let say smc has an IP address of 10.1.1.10/24. > >Internal interface of FW_A has an ip of 10.1.1.1 > >Now you want to manage both FW_A and FW_B via > >the smc. > > > >1) go into the smartdashboard, select the > >smc object, under the NAT section, select the > >box "apply for VPN-1 Pro/Express control connections" > >and then enter the public IP address that you will > >NAT the smc to. Under install, select FW_A is the > >one that you will NAT to. > > > >2) create a bi-directional rule to allow service > >of "Any" between the smc and FW_B (just for testing). > > > >3) Once that is done, push policy to FW_A > >firewall. Now the smc will be able to communicate > >with FW_B and vice versa. You should be able to > >SCI between FW_B and smc. > > > >Keep in mind that under that NAT of the smc, if you > >select "install on gateway" to "all", it will NOT > >work. It should be to FW_A only. > > > >Alan Choyna wrote: > >Thanks for the responses. They're greatly appreciated. > > > >Just to clarify, the SMC is the Smart Management Center. right? > > > >l went to the management server object and selected "Apply for VPN-1 > >Power/UTM Control Connections", but it would not let me save it saying: > > > >"Applying NAT on VPN-1 Power/UTM control connections is allowed only > >when the rule is installed on a single gateway". > > > >The install on Gateway is set to "all". > > > >l have installed the license on the new gateway using Smart Update, > >and yes SIC is working fine. > > > >When l check the new gateway after attempting to push policy (it > >fails with a timeout), l see that "fw stat" shows the right policy > >but l cannot access the outside world from the inside networks of the > >new gateway, not from the gateway itself. SIC is also lost as the > >gateway does not seem to accept any connection. > > > >when l unload the local policy l can access the outside world only > >form the new gateway, and SIC is re-established. > > > >This is driving me crazy. > > > >The rules l have for he new policy (that is only pushed to the remote > >gateway) allow for connectivity between the management networks of > >the original data center to any of the networks behind the new > >gateway. l also have a rule allowing all outbound from the networks > >behind the new gateway, yet nothing seems to work. > > > >Help!!!!! > > > >Al > > > > > >At 12:25 PM 8/13/2007, Sergio Alvarez wrote: > > >Deploying a remote gateway is similar to work on any distributed > > >environment, just bare in mind that if you go through Internet, NAT > will be > > >envolved in the communication between this new box and your > Smartcenter. > > > > > >- The NAT tab of the SMC object has a check mark you must check to > apply the > > >NAT rule to CP control connections > > >- You will need a static NAT for the SMC to be able to receive logs > from the > > >external gateway > > >- Off course you must make sure security policies on any other gateways > > >between SMC and remote gateway have required rules to allow traffic on > both > > >ways > > >- Regarding the configuration of security rules for this particular > remote > > >gateway, just make sure only rules that are supposed to be used by it > have > > >the corresponding object in the "install on" column of the rule base. > > > > > >If you were already able to establish SIC, you should also be able to > use > > >SmartUpdate to attach the corresponding license. > > > > > >About the issue with Web Intelligence, the other guys above me have > already > > >touched all possibilities... I think. > > > > > >Hope this helps... > > > > > >Regards > > > > > >On 8/12/07, Jean-Paul Baillon wrote: > > > > > > > > Remotely managed gateway = Distributed Installation > > > > > > > > You will find a lot of docs on CP website > > > > http://www.checkpoint.com/support/technical/documents/index.html > > > > > > > > > > > > JP > > > > > > > > -----Original Message----- > > > > From: Mailing list for discussion of Firewall-1 > > > > [mailto:[EMAIL PROTECTED] On Behalf Of > Alan > > > > Choyna > > > > Sent: Monday, 13 August 2007 9:10 AM > > > > To: [email protected] > > > > Subject: Re: [FW-1] Deploying new gateway to be remotely managed. > > > > > > > > Thanks Ray (and Sin) for your advice. > > > > > > > > Is there an SK for building and deploying a policy for a remotely > > > > managed gateway? or can anyone give me the basics? > > > > > > > > Thanks in advance, > > > > > > > > Alan > > > > > > > > At 05:15 PM 8/12/2007, Ray wrote: > > > > >There's an SK article on what protections require a WI license. > > > > >CPMAD, SQL Injection, LDAP Injection, and one other thing, if I > recall > > > > >correctly. If you un-check those, you should be OK. > > > > > > > > > >Web Intelligence's biggest failing is that it does not work on SSL > > > > >traffic, which is where you really want to protect this kind of > stuff. > > > > >FW-1 can't do SSL termination, which severely limits its inspection > > > > >ability. > > > > > > > > > >Apparently there used to be an add-in OPSEC card that did allow > FW-1 to > > > > > > > > >do SSL inspection, but the vendor got bought out late last year and > the > > > > > > > > >product was discontinued. > > > > > > > > > >Ray > > > > > > > > > > > > > > >>From: Alan Choyna > > > > >>Reply-To: Mailing list for discussion of Firewall-1 > > > > >> > > > > >>To: [email protected] > > > > >>Subject: [FW-1] Deploying new gateway to be remotely managed. > > > > >>Date: Sat, 11 Aug 2007 14:41:48 -0500 > > > > >> > > > > >>Hi Guru's, > > > > >> > > > > >>We've just built a new SPLAT R62 gateway at a new data center to > be > > > > >>remotely managed by a management server (with the same version of > > > > >>R62) at another data center. > > > > >> > > > > >>l was able to SIC the new gateway to the management server, so it > is > > > > >>now ready to have a policy pushed to it. > > > > >> > > > > >>This is our first experience of setting up a remotely managed > gateway, > > > > > > > > >>and l don;t know how to set up it's policy on the management > server. > > > > >> > > > > >>Can some please advise on the initial configuration of the policy > for > > > > >>the new gateway on the management server? > > > > >> > > > > >>After getting SIC with the new gateway on the management server l > > > > >>cannot push policy to the cluster even when de-selecting the new > > > > >>gateway. l get the error message: > > > > >> > > > > >>Security and Address Translation Policy Verification: > > > > >>Additional licenses for Web Intelligence are required. > > > > >>You have (0) Web Intelligence license installed, while (1) gateway > is > > > > >>.involved in Web Intelligence protection. > > > > >> > > > > >>How do l disable web Intelligence on the new gateway? Since l > cannot > > > > >>connect to it remotely as yet (no policy). l have not yet > installed > > > > >>it's correct license, it's still running on the eval license for > now. > > > > >> > > > > >>Thanks in advance for your advise, > > > > >> > > > > >>Alan > > > > >> > > > > >> > > > > >>Alan C. Choyna > > > > >>Director of Infrastructure > > > > >> > > > > >>Pathfinder Associates, LLC > > > > >> > > > > >>http://www.pathfinderassoc.com > > > > >>Internet Strategy Business Consultants > > > > >>mailto:[EMAIL PROTECTED]> achoyn> >>[EMAIL PROTECTED]>.com > > > > >> > > > > >>Business telephone (312) 372-1058 ext 6003. Mobile (773) 255-6662 > > > > >> > > > > >> > > > > >>================================================= > > > > >>To set vacation, Out-Of-Office, or away messages, send an email to > > > > >>[EMAIL PROTECTED] > > > > >>in the BODY of the email add: > > > > >>set fw-1-mailinglist nomail > > > > >>================================================= > > > > >>To unsubscribe from this mailing list, please see the instructions > at > > > > >>http://www.checkpoint.com/services/mailing.html > > > > >>================================================= > > > > >>If you have any questions on how to change your subscription > options, > > > > >>email [EMAIL PROTECTED] > > > > >>================================================= > > > > > > > > > >_________________________________________________________________ > > > > >Tease your brain--play Clink! Win cool prizes! > > > > >http://club.live.com/clink.aspx?icid=clink_hotmailtextlink2 > > > > > > > > > >================================================= > > > > >To set vacation, Out-Of-Office, or away messages, send an email to > > > > >[EMAIL PROTECTED] > > > > >in the BODY of the email add: > > > > >set fw-1-mailinglist nomail > > > > >================================================= > > > > >To unsubscribe from this mailing list, > > > > >please see the instructions at > > > > >http://www.checkpoint.com/services/mailing.html > > > > >================================================= > > > > >If you have any questions on how to change your subscription > options, > > > > >email [EMAIL PROTECTED] > > > > >================================================= > > > > > > > > ================================================= > > > > To set vacation, Out-Of-Office, or away messages, send an email to > > > > [EMAIL PROTECTED] > > > > in the BODY of the email add: > > > > set fw-1-mailinglist nomail > > > > ================================================= > > > > To unsubscribe from this mailing list, > > > > please see the instructions at > > > > http://www.checkpoint.com/services/mailing.html > > > > ================================================= > > > > If you have any questions on how to change your subscription > options, > > > > email [EMAIL PROTECTED] > > > > ================================================= > > > > > > > > > > > > > > ##################################################################################### > > > > Important: This electronic message and attachments (if any) are > > > > confidential > > > > and may be legally privileged. If you are not the intended recipient > do > > > > not > > > > copy, disclose or use the contents in any way. Please let us know by > > > > return > > > > e-mail immediately and then destroy this message. > > > > > > > > > > > > > > ##################################################################################### > > > > > > > > ================================================= > > > > To set vacation, Out-Of-Office, or away messages, > > > > send an email to [EMAIL PROTECTED] > > > > in the BODY of the email add: > > > > set fw-1-mailinglist nomail > > > > ================================================= > > > > To unsubscribe from this mailing list, > > > > please see the instructions at > > > > http://www.checkpoint.com/services/mailing.html > > > > ================================================= > > > > If you have any questions on how to change your > > > > subscription options, email > > > > [EMAIL PROTECTED] > > > > ================================================= > > > > > > > > > > > > > > > >-- > > >Sergio Alvarez > > >(506)8301342 > > > > > >================================================= > > >To set vacation, Out-Of-Office, or away messages, > > >send an email to [EMAIL PROTECTED] > > >in the BODY of the email add: > > >set fw-1-mailinglist nomail > > >================================================= > > >To unsubscribe from this mailing list, > > >please see the instructions at > > >http://www.checkpoint.com/services/mailing.html > > >================================================= > > >If you have any questions on how to change your > > >subscription options, email > > >[EMAIL PROTECTED] > > >================================================= > > > >================================================= > >To set vacation, Out-Of-Office, or away messages, > >send an email to [EMAIL PROTECTED] > >in the BODY of the email add: > >set fw-1-mailinglist nomail > >================================================= > >To unsubscribe from this mailing list, > >please see the instructions at > >http://www.checkpoint.com/services/mailing.html > >================================================= > >If you have any questions on how to change your > >subscription options, email > >[EMAIL PROTECTED] > >================================================= > > > > > > > >Choose the right car based on your needs. Check out > >Yahoo! > >Autos new Car Finder tool. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > > > > --------------------------------- > Fussy? Opinionated? Impossible to please? Perfect. Join Yahoo!'s user > panel and lay it on us. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > -- Sergio Alvarez (506)8301342 ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
