Once upon a time I wrote:
Hi!
I have a network with some offices around Europe. Every office has a FW-1.
Between the FW-1's there'a a full mesh network of VPN tunnels over the Internet.
Every office has it's own subnet, and all Internet traffic goes through the
local FW-1. Every FW-1 is the VPN server for it's own eomplyees.
After authentication VPN-1 decrypts the encrypted packet from the client and
transmits it onto the internal network, keeping it's original source address.
When the destination machine sends the reply, VPN-1 encrypts it and sends it to
the client. The source and destination addresses are the same on both sides of
the decryption/encryption. This requires that the reply goes out through the
same FW-1 as the original packet came in through.
This is not a problem as long as a Stockholm employee connected to the Stockholm
VPN-1 is accessing machines in the Stockholm network, but when he tries to
access a machine in the London network, the destination machine sends it's reply
through the London FW-1, which doesn't recognize the packet as belonging to the
VPN session. Therefor it's never encapsulated and encrypted, and the client
drops it.
What is the solution for this? Is it possible to make a rule that masquerades
the address of the VPN client using the internal address of FW-1, making the
London machine sending the reply to the Stockholm FW-1? Wouldn't this approach
cause problems if the client machine tried to access some public resources on
the DMZ at the same time as it's connected through the VPN session? Will FW-1
masquerade these packets as well? If so, is it a problem?
One idea is to masquerade the whole freaking Internet to the internal address of
the FW-1... fun idea, but every cell in my brain screams "Nooo!". ;)
Any ideas?
/P
And I got one answer:
On 2001-04-03 15:03, Security Admin wrote to The Pal / Patrik Bodin and...:
SA> See CheckPoint's NAT pools and a paper called Multiple Entry Points (MEP).
SA> You can download it from Check Point's public support page.
So I revided my question to:
The MEP solution is not applicable since there are no dedicated lines connecting
the offices, the connections are FW-1 VPN tunnels. When FW-1 sets up a VPN
connection it sends it's network topology to the connecting part. The problem is
that you can only define this topology table once, and there's (AFAIK) no way to
have different network topologies depending on who's connecting. This makes it
hard for me, since when the Stockholm FW-1 sets up a VPN connection to the
London FW-1 I only want the Stockholm FW-1 to send the Stockholm network
topology to London, but when a SecuRemote client sets up a VPN connection to the
Stockholm FW-1 I want the Stockholm FW-1 to send a network topology including
both the Stockholm networks and the London networks (and of course all other
networks behind the other VPN connections).
Is there any ways to do this?
Apart from the above, IP NAT Pools seems to be a good thing trying to solve my
problem.
Is there anyone out there that can get anything at all out of the confused text
mass above? ;)
/P
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
