Accessing the firewalls directly once VPN-ed in

the_rock · ‎2021-01-23

Hey guys,

Im sorry if this may seem like a silly inquiry, but its baffling to me why it fails. So I was trying to test something with the customer and we cant seem to figure it out. So, here is the situation...what we would like to be able to do is get direct ssh access to the firewalls once you connect via vpn endpoint client.

We created a rule on top saying from office mode net to the cluster, allow on ssh, but that does not seem to work. There are few layers below and on vpn layer, parent rule is simply office mode net to any on vpn layer itself and then one of rules below allows the access. Same for internal layer...here is the kicker...the 2nd rule we created, which is to block pings from anywhere to firewall also does not seem to do anything, as it has 0 hits, but pings to cluster are blocked by the last implicit clean up rule.

Anyway, they simply want to be able to give ssh access to certain people when they connect to vpn, so they dont need to remote desktop further into anything. I checked office mode community and it shows that vpn domain is set for everything behind the gateways based on topology, so that seems correct.

Any suggestions/insight would be helpful. I talked to TAC about it and they have no clue and to make it worse, they dont even want to bother trying...such a waste of time.

Tx!

PhoneBoy · ‎2021-01-23

Send me the SR in a PM.
The funny thing is the Security Gateway is always in the encryption domain, so you should be able to reach the Security Gateway, assuming there's a rule in place.
Is there ANY attempts showing in the logs when you try to connect to the Security Gateway via ssh? (Search on the destination IP, not the source)

the_rock · ‎2021-01-23

See, thats another hot mess problem with this...its a **bleep** cloud instance and its so useless when it comes to parsing logs (thats the case I opened with TAC). The thing is, I get it has to go through whole rulebase, even layers, so if the very first rule, which is NOT layered rule, allows ssh and then same rule exists in vpn AND internal layer, then it makes no sense at all why it fails and all I see in the logs when I filter is ssh is blocked on clean up rule, which makes no sense at all.

Andy

PhoneBoy · ‎2021-01-23

If the rulebase uses multiple ordered layers, the traffic must hit an accept rule in each ordered layer.
If you're hitting a cleanup rule in a specific layer, that means no other rule in that layer is matching the traffic.
Which points to either the appropriate rule being missing or a bug.

the_rock · ‎2021-01-23

Well, below is what I did to fix it...I showed TAC clearly how it was configured and they said "that looks fine", thought thats their typical response for 99% of the things...:). Anyway, looks good now, Man, sometimes I miss old ipso and Nokia days, so nice and simple...

To fix it, I added layer towards the top that said from anywhere to cluster, created new layer and then added allow rule to cluster from accessrole vpn group on desired services and explicit clean up as 2nd layered rule...done.

Thanks D.

Andy

PhoneBoy · ‎2021-01-23

I remember the days before Nokia IPSO 🙂

the_rock · ‎2021-01-23

Im sure both you and Jason Ingram, hehe 😉

PhoneBoy · ‎2021-01-23

Coming up on 25 years myself...this April 😳

the_rock · ‎2021-01-23

Thats quite something...but, it also makes you an "old" man at the same time ;))

PhoneBoy · ‎2021-01-24

Experienced. Seasoned. 🙂

genisis__ · ‎2022-01-23

Hey was he not chap that developed ghost?

Are you a member of CheckMates?

Accessing the firewalls directly once VPN-ed in