SmartCenter and NAT

[cciesec2006]

Can someone help me with this issue?

I have a SmartCenter NGx R65 with HFA_02 running on SPLAT.
the IP address of the SMC box is 192.16.1.10/24. This SMC
box is sit behind Cisco router facing the Internet.
IP address of the Cisco router is 192.168.1.1/24 and
4.2.2.2/24 respectively.

I natted the SMC box to 4.2.2.3 on the Cisco router
so that User(s) on the Internet can access the SMC with
the SmartDashboard:

ip nat inside source static 192.168.1.10 4.2.2.3


From the Internet, when I launch the SmartDashboard,
I get the fingerprint but then SmartDashboard says:
"failed to launch application". I noticed that this
issue happened since NGx R61 and higher. It does not
matter if I replace the Cisco device with a Checkpoint
firewall, I still get the same error.

If I repalce the SmartCenter NGx R65 with SmartCenter
NG with AI R55, I can connect fine over the Internet.

Is this a new feature of NGx or is this a bug?

If anyone would be willing to help me out by testing
this with me? I can open my firewall so that you can
try to log into my SmartCenter over the Internet, please
send me a private message. Thanks.

[rokudan]

How about not nat'ing on the cisco, and instead give the management box the 4.2.2.3 address on one of it's interfaces?

[cciesec2006]

That would be an easy solution. Unfortunately, real-life situation does
not work out that way. I wish it was that simple.

[rokudan]

Curious... Why?

[cciesec2006]

Because the customer is already setup the box this way with
private IP address and they are not going to change it. They
want to give Read-only via SmartDashboard to an auditor outside
the company access to the SMC. NO VPN.

The point is that it works perfect in NG w/ AI R55 but not in NGx.
I couldn't find any documentation that can said it broke in NGx.

[rokudan]

Ahh... Well, that is no good. I could think of some possible solutions, but I think they would be a mickey mouse way of doing things...

[RayPesek]

On the SmartCenter object, is there a check box about NATting the control connections? Seems to me there is (or was). Try looking at it.

Ray

[cciesec2006]

That is only possible if the SmartCenter is behind a Checkpoint firewall,
NOT a Cisco IOS or Pix. By the way, this option is also available in R55
as well. That is only good if the SMC has to perform SIC with the
Enforcement Modules. This option is no good for CPMI connection because
they use tcp port 18190.

[RayPesek]

It's not relevant in this case, but are you sure about the SIC thing? SIC is name-based. I thought it was for control connections.

Maybe that check box builds a new implied rule or a new NAT rule. If so, perhaps that would give you a clue as to how to configure the router.

Quote:

They
want to give Read-only via SmartDashboard to an auditor outside
the company access to the SMC. NO VPN.

SmartPortal would be a better solution. I don't know what the license costs, though.

Ray

[cciesec2006]

Hi Ray,

"It's not relevant in this case, but are you sure about the SIC thing? SIC is name-based. I thought it was for control connections."

I am very certain about this. This "control connections" exists in NG with AI
and higher so that the firewall and SmartCenter are aware that the
SMC is behind a "checkpoint" NAT device. In NG Feature Pack 3, there
was no such option and you have to use the "dummy" object approach.

I remembered this quite well because I had a huge fight with Checkpoint
Professional services about this. A checkpoint professional service came
in and deploy Provider-1 for us back in 2004 and he assigned private
address to the P-1/CMA box and that the box sits behind a Cisco Pix
firewall doing NAT. After a week of agony, I told the Checkpoint Professional
service to go F! himself and I rebuilt the P-1 box with routable public IP.
Company wasted about 50k on CP professional and nothing to show for.

Oh well...

[rokudan]

Just curious if you have maybe tried this.. I have no idea if it will work, and have not tested it.. But....

What about creating a host file entry on the machine connecting to the smartcenter server, and match the name in the host file, to the name you have configured the smartcenter as. Then connect via the name, instead of the ip... Perhaps the gui client is seeing that the ip entered does not match a valid interface on the smartcenter, and maybe if using a name instead, it will see the match...

Probably wont work, but just a thought...

[cciesec2006]

I already tried that scenario before posting that question in the group.

On the other hand, I have another Linux box with private IP on the same
network as the SMC. from my windows machine on the Internet,
I ssh'ed into the Linux box, and I then enable port-forwarding on
the Linux box. From my windows box, I then use the Smartdashboard
to connect to the SMC with the 127.0.0.1 IP address. That method works.
However, the SMC think the Linux is connecting to it, not my windows
machine. Therefore, there is NO NAT in this situation.

With NAT, it does not work, either with IP or hostname.

[RayPesek]

After some testing, it turns out it's not a NAT issue at all. It looks like some kind of weird problem with the Provider-1 Multi-Domain GUI. The plain old R65 GUI works most of the time. The shortcut to start the P-1 GUI is

Target: "C:\Program Files\CheckPoint\Provider-1\R65\CPLauncher.exe" 9

Start in: "C:\Program Files\CheckPoint\Provider-1\R65\"

If you go to a command prompt in "C:\Program Files\CheckPoint\Provider-1\R65\" and run

cplauncher 9 <Enter>

it works fine from the Internet. Go figure.

The numeric parameter tells it which program to launch. My guess is cplauncher.exe is not respecting the "Start in" parameter. Why it works when run from the LAN is what's weird.

Ray

[Thorpuse]

Couple of things to try -

1. Get a packet trace on tcp/18190 and see what source IP the incoming connections are. I regularly use Office Mode and IPAssignment to manage my SmartCenter remotely, and I had to make sure the OM NATted address was in the GUI Clients list.

2. For a test only, add "Any" to the GUI clients list, and test. That will tell you if it's the ACL on the SmartCenter that is causing the problem.

3, If the Any fails, test an SSH connection from the same location, just to make sure that routing and NAT are all working properly, and it's not a general connectivity issue.

FWIW - the SSH/Port Forwarding technique is a great way to get around a lot of these issues, and I tend to use that a lot. That could be a pretty effective workaround.

[cciesec2006]

Here is a summary of my test:

1- I have Provider-1 GUI R65 with HFA_01 and SmartConsole R65 with
HFA_01 on my laptop. I also have P-1 GUI R55 and SmartConsole R55
on my laptop as well.

2-I specify "Any" GUI clients in the Provider-1, as confirmed in the $MDSDIR/conf/mdsdb/cp-gui-clients.C file:
:domain ()
:gui_client_type (any)
:ipaddr ()
:ipaddr2 ()
:mds_client (true)
:netmask ()
:value (any)
)

3- My laptop sit behind a Cisco Pix 8.0(3) firewall with:
nat (inside) 1 0 0
global (outside) 1 interface
access-list test permit ip any any log
access-group test in interface outside

In other words, the Pix will "hide" NAT ALL outbound traffics

4- The P-1 R65 box has a private address of 192.168.1.1 and it is
NAT'ed to 4.2.2.2 on the Cisco IOS router. There is a CMA
with an IP address of 192.168.1.10 and it is NAT'ed to
4.2.2.3 by the cisco router as well.

From my laptop, I can connect to 4.2.2.3 with Smart Dashboard/Tracker.
From my laptop, I can NOT connect to 4.2.2.2 with Provider-1 GUI,
From my laptop, I can NOT connect to 4.2.2.2 via the command line
"cplauncher 9" as suggested by Ray. I always get "Failed to launch
application".

I replaced the P-1 R65 box with P-1 R55 box and I CAN connect
to 4.2.2.2 with the P-1 R55 GUI and 4.2.2.3 with Smart Dashboard/Tracker
R55 GUI

This is definitely different when Ray tested the connection with me. I could
see him connect to my Provider-1 R65 with the P-1 GUI.

This is really weird. tcpdump showed everything is normal and that
the P-1 box is seeing traffics coming from the Pix's external interface,
hide NAT. Everything being equal, it tells me that Provider-1 NGx R65
GUI has issues, I think

[Thorpuse]

edit : Didn't read properly what was below. I think you're right, P-1 R65 seems to have GUI issues. looks like a job for CP support.

[zahaha04]

Have you defined the External IP as a Gui client in SmartCenter?Just a thought.