Saturday, January 22, 2011

Secure Client through a FireWall-1 Firewall

I have an internal local user who is connected to our local network, and he is interesed in using securemote to connect to one of our customers who provide him the necessary information to get into their site. Both our site and the customer site use FireWall-1. The user is able to ping and see the customer's hosts but some of the packet will not go through our firewall.
If the same user uses the modem or dialup from the ISP internet connection he is able to do everything he needs to with securemote, but we are interested in providing connectivity within internal lan to remote customer site.


If your firewall is not performing any address translation on the securemote client, then it will work with the information provided below. If your firewall is doing address translation for the securemote client (because the client has a non-routable or illegal IP address), then read the following FAQ to determine if such a configuration will be possible: Secure Client and NAT
Assuming you are not doing address translation or can workaround it, part of what needs to be done will depend on whether or not the remote FireWall-1 is configured to use encapsulation for securemote connections or not.
General Configuration
In all cases, you will need to permit the following traffic through your local firewall (note only use IKE for FireWall-1 4.0 and above when IKE is used for securemote, in 4.0 the service is named ISAKMP):
Source                   Destination              Service                    Action
                                                  FW1
securemote-Client        Remote-Mgmt-Server       FW1_topo                   Accept
                                                  FW1_pslogon

securemote-Client        Remote-FireWall          RDP                        Accept
                                                  IKE

Remote Site Uses fwz Encapsulation
If the remote site is using encapsulation for securemote clients, the following additional rule needs to be added:
Source                   Destination               Service             Action
securemote-Client        Remote-FireWall           FW1_Encapsulation   Accept
Remote-FireWall          securemote-Client

FW1_Encapsulation is pre-defined on most current FireWall-1 boxes. If it is not pre-defined on yours, then create it as service of type Other with \"ip_p=94\" in the Match field.
Remote Site Uses IKE
If the remote site is using IKE for securemote clients, the following additional rule needs to be added:
Source                   Destination              Service             Action
securemote-Client        Remote-FireWall          ESP                 Accept
Remote-FireWall          securemote-Client

ESP is pre-defined on most current FireWall-1 boxes. If it is not pre-defined on yours, then create it as service of type Other with \"ip_p=50\" in the Match field.
Remote Site Uses UDP Encapsulation
If the remote site is using UDP Encapsulation on their clients, the following additional rule needs to be added:
Source                   Destination              Service                  Action
securemote-Client        Remote-FireWall          VPN1_IPSEC_encapsulation Accept
Remote-FireWall          securemote-Client

VPN1_IPSEC_encapsulation is pre-defined on FireWall-1 4.1 SP3 and above. If it is not pre-defined on yours, then create it as service of type UDP, port 2746.
Remote Site uses fwz without Encapsulation
If the remote site does not use encapsulation, then you will need to permit the necessary traffic to and from the remote site by your local firewall's rulebase. You need to make sure that none of the traffic is processed through the security servers or an intermediary proxy or you might get unreliable or unpredictable results. The following rule near the top of your rulebase should suffice:
Source                   Destination               Service             Action
securemote-Client        Remote-Servers            Any                 Accept

The \"any\" above can be replaced with the specific services the securemote client needs to use.
Remote Site uses NG, Policy Server, and Office Mode
If you are using Office Mode on FireWall-1 NG and/or using the Policy Server for NG, you will need the following rules:
Source                   Destination              Service                  Action
securemote-Client        Remote-FireWall          FW1_pslogon_NG           Accept
                                                  IKE
                                                  VPN1_UDP_Encapsulation
                                                  Tunnel-Test

FW1_pslogon_NG is TCP port 18231. Tunnel-Test is UDP Port 18234.

No comments: