Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Di_Junior
Advisor
Advisor

Cannot disable IPSec blade on the gatewa

Dear Mates

I need your urgent help.

I have enabled IPSec blade on one of our clusters, and I now need to disable it because it mays be causing some issues with another IPSec that we use from a vendor within our network.

When I try to disbale IPSec, itshows the message on the image bellow:

When I check where used, it shows all the entries in the image bellow, but I dont how. Could you kindly help me on how I can proceed with the disabling of IPSec on this cluster object? Why fear is if I disbale IPSec may cause some problem.

Please help out.

Thanks in advance

14 Replies
Di_Junior
Advisor
Advisor

I forgot to add this piicture.

0 Kudos
Timothy_Hall
Legend Legend
Legend

The use of the firewall object in an automatic NAT setup (which is what is shown in your screenshot) shouldn't matter in regards to unchecking the IPSec VPN blade.  However if you scroll down in that References list I imagine you will see the firewall explicitly specified in a Firewall policy rule as the Install On gateway, and that same rule also specifies a VPN Community object in the VPN column.  Or the firewall object is defined as a participating gateway in a VPN Community object.  If you were to uncheck the IPSec VPN blade in this case and attempt to install policy this will almost certainly cause a policy verification failure.

Please post a screenshot of where else the firewall object is used other than "NAT->the_firewalling_obj" for further analysis.  And be sure to take a Database Revision before trying to make this change if you are using R77.30 management just in case.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Di_Junior
Advisor
Advisor

I have done it, and I had no further impact. Thanks for your feddback.

I would like to take this opportunity to ask an additional question: if you have on external cluster that leads to the Public Internet, and an internal cluster to control your internal resources. Is it possible to allow the Remote Access to be  on the internal cluster instead of the External Cluster? if yes, how?

Thank you once again 

0 Kudos
Timothy_Hall
Legend Legend
Legend

I'm assuming that your ISP-routable space ends at the external cluster and you are using some kind of RFC1918 space on the screened subnet (or whatever the network is) between the external cluster and the internal cluster.  Terminating remote access VPNs on the internal cluster is definitely possible assuming you set "Statically NATted IP" on the Link Selection screen under IPSec VPN on the internal cluster object.  The address you put here is whatever Internet-routable Static NAT address has been allocated to the internal cluster by the external cluster.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Di_Junior
Advisor
Advisor

Hi Tim,

I got one final question to you with regards to this cenario.

I have replicated the lab into the production and it is working perfectly. when a client on the Remote site access a VPN, it get the office mode IP address, but when it access an internal server, when I run the wireshark, the IP that appears there is an IP that belongs to Network N which means the office mode address is being NATed.

I would like to know if in my implementation cenario is possible to stop NATing so that office mode IP gets to the Network N without being NATed? if yes, can you give an ideia about the NAT rule?

By the way, your book is on its way to me, and I am sure it will be very handy.

Thank you

0 Kudos
Timothy_Hall
Legend Legend
Legend

If you are using the default CP_default_Office_Mode_addresses_pool object for the Office Mode address, it has NAT enabled on it by default.  Just go to the NAT tab on that object and uncheck it.  If you are using some other object, you may need to add a manual anti-NAT rule for the Office Mode range at the top of your NAT policy.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Di_Junior
Advisor
Advisor

Hi Tim,

I am using some other object and created a Manual NAT, and It worked just fine.

In your personal opinion, in terms of security, which way is the best:

1. Office Pool being NATed

2. Office Pool not being NATed

Thank you

0 Kudos
Timothy_Hall
Legend Legend
Legend

NATing the Office Mode address isn't really a matter of increasing security, but ensuring proper routing behavior for traffic returning to the firewall for encryption back into the Remote Access VPN tunnel.  Normally you don't need to NAT Office Mode addresses, and you just specify an IP subnet for the Office Mode assignments that your internal network is guaranteed to return to that same firewall in a symmetric fashion.

One situation where you might NAT Office Mode addresses is in a Multiple Entry Point (MEP) VPN scenario which involves several firewalls at different locations with their own Internet connections, and a backend WAN connecting all the different sites as well.  In some cases Remote Access VPN traffic might enter the inside network via Firewall A, but then try to asymmetrically return to the Internet through Firewall B located at another site which will not work.  If you are not able to correct the routing inside your network due to technical or political reasons, performing NAT on the source IP of the Office Mode traffic at Firewall A and making it an address that is guaranteed to be returned to Firewall A symmetrically can help avoid this issue.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Di_Junior
Advisor
Advisor

Thanks for your valuable comment Mate... Much appreciated.

The figure bellow depicts our current setup, and we want to terminate the VNP connection on the internal gateway because that gateway can reach all the networks that we want. So based on the figure, which address in the simulated networks bellow should be statically NATed, and to which address.

Once again thank you for your time.

0 Kudos
Timothy_Hall
Legend Legend
Legend

Allocate an unused Public IP, and on the External Firewall statically NAT it to the Internal firewall's interface address on Network C.  Then set the Internal Firewall's VPN Link Selection Static NAT to the value of the assigned Public IP.  You will also need a rule in your Firewall/Network Policy Layer on the External Firewall permitting a service of Any, source Any to the Internal Firewall's public NAT address.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Di_Junior
Advisor
Advisor

Thank you very much Timothy Hall, I will try that first in my lab environment, and then give you the feedback of my experience.

0 Kudos
Di_Junior
Advisor
Advisor

Hi Tim,

I have followed your instructions and the Site is not responding.

I have created the same cenario in a lab first, and this is what I am doing.

Public IP: 192.168.1.3 NATed to 10.10.3.1 (the internal firewall address in network C)

Internal Firewall Link Selection to: 192.168.1.3

The last part about the Firewall/Network policy is what I dont understand very well. Could please elaborate more on that. Do I only need one policy on the external firewall? dont I need another policy in the internal cluster?

Thanks in advance

0 Kudos
Di_Junior
Advisor
Advisor

Hi Tim,

I followed the instructions you have shared but I am getting the following problem:

1. The site is not responding when I try to connect

2. When I check the Log in smartview tracker, the traffic going to the public IP that was statically NATed to the internal firewall is getting there in http and https, not ike traffic.

Any thoughts as to what could be causing this.

Kind regards

0 Kudos
Di_Junior
Advisor
Advisor

Hi again Tim,

I finally got it up and running.

Your contribution helped me alot. I had to enable Sticky Forwarding Function because our Cluster is in Load sharing mode. Then everything worked just fine.

Thank you

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events