This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Network_M
Collaborator
‎2018-08-06 11:46 PM

How to allow ssh to DMZ web server?

I have a web server in my office.

It has 2 ip addresses: DMZ ip address and Global Internet ip address.

Administrator of web site can connect to it by SSH from its Global Internet ip address.

My question is this:

How to make it to connect Administrator to its DMZ ip address in order to be secure?

In access-lists, I did the followings (current rule):

Source: IP address of Administrator (Local int. ip address, example: 192.168.20.xx)

Destination: IP address of DMZ web server (192.168.21.xx)

Service: SSH, SSH v2,

Action: Accept

On right side of SMART CONSOLE, where hosts located, when I created host DMZ WEB SERVER, I assigned ip address 192.168.21.xx and in the NAT settings I assigned its Global Internet Ip address.

Now Administrator can connect to its Global internet IP address.

How to connect to its DMZ ip address?

12 Replies
_Val_
Admin
Admin
‎2018-08-07 12:17 AM

It is not exactly clear what you are trying to achieve. Do you want to connect to DMZ internal IP address from Internet or from your own internal network?

0 Kudos
Network_M
Collaborator
‎2018-08-07 12:30 AM
In response to _Val_

I am trying to achieve this: I want to connect to DMZ web server internal ip address from my internal network. Despite the correct rule, it does not allow me to connect. I can only connect to DMZ web server's OUT address.

0 Kudos
Network_M
Collaborator
‎2018-08-07 12:31 AM
In response to _Val_

I don't want to go OUT to internet and then connect to DMZ. I directly want to connect to my DMZ from my internal network.

0 Kudos
_Val_
Admin
Admin
‎2018-08-07 01:18 AM
In response to Network_M

Okay, more clear now.

The rule you have should allow internal network connectivity to internal DMZ IP address. Check the routing inside the network. the best is to run fw monitor on the FW to see what's going on. 

0 Kudos
Network_M
Collaborator
‎2018-08-07 01:49 AM
In response to _Val_

1. Why admin with current rule has access to DMZ web server's global int (outside) ip address?

2. How should I restrict access to DMZ web server global int ip address and allow access only to DMZ internal ip add?

3. How to check routing in the network? From smartconsole or CP gateways?

4. What is fw monitor and how to run it?

_Val_
Admin
Admin
‎2018-08-14 07:37 AM
In response to Network_M

Q:  Why admin with current rule has access to DMZ web server's global int (outside) ip address?

A: If you are configured NAT on the object and did not create a manual rule, the access rule with DMZ object as destination covers both real and NAT-ed IPs of your DMZ server.

Q: How should I restrict access to DMZ web server global int ip address and allow access only to DMZ internal ip add?

A: By creating specific policy rules. It is hard to tell you without looking at your system config.

Q: How to check routing in the network? From smartconsole or CP gateways?

A:     Windows: route print
         Linux: netstat -rn

Q: What is fw monitor and how to run it?

A: fw monitor is a special CLI tool to trace pakcets through your FW. More details here: What is FW Monitor? 

Network_M
Collaborator
‎2018-08-14 09:11 PM
In response to _Val_

1. What does it mean "Creating manual rule"?

2. I have a rule host A from local lan (192.168.10.1) destined to DMZ web server (192.168.11.1) - Accept. But still host A cannot access to DMZ web server, why?

0 Kudos
_Val_
Admin
Admin
‎2018-08-14 11:27 PM
In response to Network_M

It is hard to say why but I suspect a network level connectivity issue. Check the routing all the way to DMZ server and run fw monitor to see how packets are crossing FW

0 Kudos
Network_M
Collaborator
‎2018-08-17 02:17 AM
In response to _Val_

I checked the routing. All default routes go to the CLUSTER IP of LOCAL LAN (192.168.10.200).

And there are 3 cluster IPs: Local lan's, dmz's and external.

0 Kudos
_Val_
Admin
Admin
‎2018-08-17 03:25 AM
In response to Network_M

Make sure the connection to DMZ is not dropped by the FW. Check the logs and verify your connection is not dropped. RUn fw monitor to see what happens with the packets of such connection in both C2S adn S2C direction. If you are still unable to put your finger on the issue, ask your colleagues with more experience in troubelshooting or open a support call with TAC.

Dor_Marcovitch
Advisor
‎2018-08-07 12:24 AM

Use some kind of a remote access vpn with checkpoint you can user the endpoint connect or mobile access blade.

0 Kudos
Yonathan_Kazan1
Participant
‎2018-08-20 05:22 AM

On Web Server create a static route pointing back to FW (In my case the traffic was going out according to NAT and wasn't able to get back)

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    In-Person

    Tue 25 Mar 2025 @ 09:00 AM (EDT)

    Canada In-Person Cloud Security with Hands-On CloudGuard Workshops!
    In-Person

    Tue 25 Mar 2025 @ 12:00 PM (MDT)

    Salt Lake City: CPX 2025 Recap
    In-Person

    Tue 08 Apr 2025 @ 12:00 PM (MDT)

    Denver: CPX 2025 Recap
    CheckMates Events
    Top