The problem will remain the same as all 3 IPs will be in the same
TCP/IP Stack/routing space and only one Default route will/can be applied.
Also, when traffic passes thru HQ´s NGX firewall it will be treated as
spoofing ( internet traffic caming from an internal interface ). If i
disable
it the back traffic will be routed to HQ´s Internet link instead of the
originated
entry.
Dealing with differente IPs for different countries = try to map external IP
blocks
that are designated for each country is never 100% accurate.
[]'S
--
Antonio Costa
[EMAIL PROTECTED]
TI - Analista de Redes e Segurança
CCSE PLus / CCNA
MCSE / LinuxAdmin
Odebrecht Engenharia e Construção
Matriz Villa Lobos - São Paulo/SP
Av. Nações Unidas 4777, 11o. Andar
Tel.: +55-11-3443-9813/9000
Fax.: +55-11-3443-9861
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] Behalf Of Reinhard
Stich
Sent: Friday, January 19, 2007 7:09 PM
To: [email protected]
Subject: Re: [FW-1] Multiple MX on different Internet providers, one
SMTP Clustered server
hi,
what about having 3 IPs on your anti-spam box and
dealing with different IPs for different countries?
br
reinhard
At 21:42 19.01.2007, you wrote:
>Hi guys,
>
>
> I have an issue that was solved using Juniper boxes. Guess if there´s
any
>way to implement
> it using Checkpoint :
>
>
> Scenario :
>
> Datacenter as center of the internal network and one Cluster of two
>VPN-1 Power gateways.
>
> 3 countries with border firewalls attached to Internet.
>
> All four countries are connected internally using an MPLS network.
>
>
> Problem :
>
> Need to wait for a local IronPort Anti-Spam solution at each of the
remote
>3 countries and need
> a SMTP MX entry point on each country.
>
> Cannot use only Static Nat ´cause the back traffic of each connection
must
>flow the same way
> as entered.
>
> Exemple : if a conection arrives at UK firewall and cames from internet,
>it will be NATed and
> directed internally, pass thru the headquarter´s firewall and delivered
at
>the SMTP server, but
> when this server answers, traffic must follow back thru HQ´s firewall,
>follow UK´s network path
> and exit to the internet.
>
> Source nat cannot be used as the IronPort must check incomming IP at
each
>smtp session.
>
>
>Solution applied using Juniper firewalls :
>
> Between the HQ´s firewall and the IronPort firewall was placed a Juniper
>firewall. IP address of
> the IronPort was changed to a new from the Juniper internal network and
>all DNS changes and
> HQ´s NAT config was done to comply with this change.
>
> At each border firewall is created a Tunnel interface with a false IP
>address ( 192.168.xxx.1 ) and
> one route to the HQ´s Juniper internal network thru the other end of the
>Tunnel´s ip address.
>
> Tunnels runs with basic encription and shared keys to a new Juniper next
>to the Ironport server.
>
> At the Juniper firewall next to Ironport server were created 3 new
virtual
>routers with one Tunnel
> each. These tunnels also have false ip address (192.168.xxx.2) and a
>default route to the other
> end of the tunnel´s ip address ( 192.168.xxx.1 ).
>
>
>Example :
>
> From an Internet linux site i did opened a FTP session to the NAT ip in
UK
>and uploaded 1Gb file
> and everything was accepted at UK´s firewall, sent to HQ´s firewall thru
>the tunnel and reached
> the testing FTP server and all control traffic flew back thru the
tunnel.
>
> While that, other FTP session was started from the same linux site to
the
>NAT ip in HQ and also
> uploaded other 1Gb file and everything was accepted at HQ´s firewall,
sent
>to the server and
> all control traffic flew back thru HQ site´s internet link.
>
> All connections started in the testing FTP server to any internet site
>will follow the HQ´s default
> gateway path and will never follow thru the ipsec tunnels.
>
>
>What made this possible
>
> Ibound and outbound interface of each session is stored into Statefull
>Inspection control tables
> at Juniper firewalls.
>
> Once the inbound traffic is accepted from an interface, the outbound
back
>traffic will allways
> exit thru the same interface
>
>
>Current task
>
> Perform the same solution with Checkpoint using remote Juniper firewalls
>as tunnel peers.
>
>
>[]'S
>
>--
>Antonio Costa
>
>[EMAIL PROTECTED]
>TI - Analista de Redes e Segurança
>CCSE PLus / CCNA
>MCSE / LinuxAdmin
> Odebrecht Engenharia e Construção
>
>Matriz Villa Lobos - São Paulo/SP
>Av. Nações Unidas 4777, 11o. Andar
>Tel.: +55-11-3443-9813/9000
>Fax.: +55-11-3443-9861
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to [EMAIL PROTECTED]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[EMAIL PROTECTED]
>=================================================
--
Reinhard Stich [EMAIL PROTECTED]
Internet Security AG, 1150 Wien, Johnstrasse 29
Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
