Well this is fun.

I'm actually up and running to some degree, after a lot of fiddling.

* I did have to bypass the FW policy, it was blocking stuff like NetBIOS. Now 
CIFS, HTTP/S, DNS, ICMP, all the usual suspects seem to be traversing the VPN.
* I did get to manage the Edge from SmartCenter
* I still can't log into the Edge GUI by traversing the main network, it thinks 
my local address is spoofed.
* I had to turn off anti-spoofing for the remote site on the central firewall. 
I'm not sure how I feel about this.
* I did have to modify the VPN domains on the central fw to include everything 
except the remote site.
* For some reason, RDP sessions over the VPN initiate (I get a message saying 
that the client isn't configured for authentication, so I know they are talking 
to each other), but time out without ever connecting. I see the initial RDP 
passed in my logs. This might be the same problem we had to deal with in 
another context, where MS flags the RDP packets DF, and with the extra overhead 
of the VPN, the packets get dropped because they are too large.

--
be
  


> -----Original Message-----
> From: Mailing list for discussion of Firewall-1 [mailto:FW-1-
> [email protected]] On Behalf Of East, Bill
> Sent: Tuesday, July 24, 2012 10:11 AM
> To: [email protected]
> Subject: Re: [FW-1] VPN for dummy
> 
> > -----Original Message-----
> > From: Mailing list for discussion of Firewall-1 [mailto:FW-1-
> > [email protected]] On Behalf Of pkc_mls
> > Sent: Tuesday, July 24, 2012 10:03 AM
> > To: [email protected]
> > Subject: Re: [FW-1] VPN for dummy
> >
> > Le 24/07/2012 3:42, East, Bill a écrit :
> > > I've been adminning CP firewalls since version 2, but never needed
> > > to build a VPN on one. So
> > now I have my old R65 firewall, a new Edge 32 N and very little clue.
> > I created an object for the Edge, set up a star VPN in the GUI and
> > managed to get a tunnel up and running. Now what? Do I need to build a new 
> > ruleset for
> traffic to pass? Can I manage the Edge from my SmartCenter?
> > Hi Bill,
> >
> > You can either set 'allow all encrypted' traffic in the vpn community,
> > or uncheck the box and create rules according to the allowed applications 
> > between your
> sites.
> >
> > Edge policy, nat and vpn will be managed by the smartcenter, but the
> > system will still be managed by the edge webui.
> 
> Excellent, I have 'allow all encrypted' turned on. I also have "bypass NAT" 
> since this should be
> an internal --> internal connection. Should I bypass the default FW policy as 
> well?
> 
> >
> > > One more issue I don't understand, the VPN is meant to be a backup
> > > link for our main MPLS
> > line. The Edge sits on network x.y.7.0 and will forward all traffic
> > for that and another subnet when the main line is down. But if I try
> > to go over the main line to manage it through the Web GUI, it thinks
> > the traffic is spoofed, because it's coming in on the LAN interface, not 
> > the WAN. I can RDP to
> a machine on that subnet and manage it but that doesn't seem ideal.
> > >
> > > Is there a guide to a config like this?
> > Can you please detail how many external links you have on the edge ?
> > (and how many external IPs)
> 
> Single external IP on Comcast's network, static public address. Single 
> internal IP on the LAN
> ports, RFC 1918. So you can get to the subnet I'm on either by going through 
> the tunnel or
> through the MPLS network (when it's up). Was this what you were looking for?
> 
> 
> 
> This E-mail, along with any attachments, is considered confidential and may 
> well be legally
> privileged. If you have received it in error, you are on notice of its 
> status. Please notify us
> immediately by reply e-mail or call 215-931-0300 / 800-228-8801 and then 
> delete this
> message from your system. Please do not copy it or use it for any purposes, 
> or disclose its
> contents to any other person. Thank you for your cooperation.
> Scanned by Check Point Total Security Gateway.
> 
> =================================================
> To set vacation, Out-Of-Office, or away messages, send an email to
> [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your subscription options, email 
> fw-1-
> [email protected]
> =================================================


This E-mail, along with any attachments, is considered confidential and may 
well be legally privileged. If you have received it in error, you are on notice 
of its status. Please notify us immediately by reply e-mail or call 
215-931-0300 / 800-228-8801 and then delete this message from your system. 
Please do not copy it or use it for any purposes, or disclose its contents to 
any other person. Thank you for your cooperation.
Scanned by Check Point Total Security Gateway.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Reply via email to