You can create groups with exclusions, excluding your internal networks and any others that would cause an overlap problem, like another S2S VPN domain, etc... and use this instead of the 0.0.0.0/32 object. Since you are using communities you will probably want to exclude several services too.
On Monday, October 14, 2013 11:56 AM, tasneemjan <tasneem...@aim.com> wrote: For the other peer I have 0.0.0.0 255.255.255.255 in the topology but the problem in this case will be that it will be an overlapping vpn and traffic will not match the community. I can try eliminating all rfc 1918 addresses from topology for the interoperable device which represent the other ipsec peer. -----Original Message----- From: Sergio Alvarez <seral...@gmail.com> To: FW-1-MAILINGLIST <FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM> Sent: Fri, Oct 11, 2013 11:00 pm Subject: Re: [FW-1] web traffic through IPSEC tunnel. I agree with David here, the problem is with the definition of the vpn domain for the other peer, you just cannot know what the destination would be. Regards El viernes, 11 de octubre de 2013, David DeSimone escribió: > tasneemjan <tasneem...@aim.com <javascript:;>> wrote: > > > > I am using R77 and have a ip sec tunnel to a cloud service for anti-x > > filtering. > > Do you mean that you want all HTTP/HTTPS traffic originating from your > network, no matter what destination IP it might have, to go through this > IPSEC tunnel? > > > I have rule at the top to send all http/s traffic through the > > community. > > Rules do not "set" the community which will be used. They instead > "match" which community was chosen, based on topology. If your traffic > does not route through the VPN community, then it will not match rule 1. > > > after 1st rule i have rule for internal networks to be natted behind > > the gateways public interface. When i initiate the http traffic it > > doesn't match the 1st rule and matches the 2nd rule to go the internet > > which doesn't bring the tunnel up. Can some one assist please. > > You said that you checked the encryption domain for your local network, > and it is correct. What did you use as the encryption domain for the > peer at the other end of the IPSEC tunnel? > > If my guess is correct, you want to use route-based VPN rather than > topology-based VPN. > > -- > David DeSimone == Network Admin == f...@verio.net <javascript:;> > "I don't like spinach, and I'm glad I don't, because if I > liked it I'd eat it, and I just hate it." -- Clarence Darrow > > > This email message is intended for the use of the person to whom it has > been sent, and may contain information that is confidential or legally > protected. If you are not the intended recipient or have received this > message in error, you are not authorized to copy, distribute, or otherwise > use this message or its attachments. Please notify the sender immediately > by return e-mail and permanently delete this message and any attachments. > Verio Inc. makes no warranty that this email is error or virus free. Thank > you. > > Email secured by Check Point > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to lists...@amadeus.us.checkpoint.com <javascript:;> > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > fw-1-ow...@ts.checkpoint.com <javascript:;> > ================================================= > -- Sergio Alvarez CISSP | CCSE+ ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =================================================
