RE: [FW1] VPN Between Two Illegal Networks

Tue, 29 Aug 2000 11:02:58 -0700 


I've only seen that message you're referring too when the encryption domains
overlap, but I may be mistaken.

-----Original Message-----
From: Frank Darden [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 29, 2000 12:05 PM
To: Jarmoc, Jeff; 'Peter Currall';
'[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'
Subject: RE: [FW1] VPN Between Two Illegal Networks


It has been my understanding that if you do this with one rule, youll get
the "Gateway connected to both endpoints" failures, but encryption will
still work. 

Frank

-----Original Message-----
From: Jarmoc, Jeff [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 29, 2000 12:26 PM
To: 'Peter Currall'; '[EMAIL PROTECTED]';
'[EMAIL PROTECTED]'
Subject: RE: [FW1] VPN Between Two Illegal Networks



Well, I meant that as one rule, not two..  my apologies if I wasn't clear.
Either way will work, though I'd prefer to keep my rulebase smaller.

-----Original Message-----
From: Peter Currall [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 29, 2000 10:51 AM
To: '[EMAIL PROTECTED]';
'[EMAIL PROTECTED]'
Subject: RE: [FW1] VPN Between Two Illegal Networks



I think that should be:

NetA to NetB    encrypt
NetB to NetA    encrypt

You also need to consider NAT on the firewall if you are using Hide Mode NAT
for your internal network clients (to surf the web):

Original packet                 Translated packet
Source  Dest            Service   Source
Dest    Serv
Net_Int Net_Int Any         =original                           orig.
orig.
net_int any             any        [object you are hiding behind)
orig.   orig.

I'd recommend IKE as you encryption method for compatibility with other
firewalls.


-----Original Message-----
From: Jarmoc, Jeff [mailto:[EMAIL PROTECTED]]
Sent: 29 August 2000 16:11
To: 'Steve'; [EMAIL PROTECTED]
Subject: RE: [FW1] VPN Between Two Illegal Networks



That's pretty much the best reason to use VPNs in my opinion.  You'll have
to use some sort of NAT though.  If their aren't enough IPs in your routable
Class C, use Hide mode NAT. Here's what you need to do;

Set NetA's network object as FWmachineA's encryption domain
Set NetB's network object as FWmachineB's encryption domain
Make sure each firewall has encapsulation on (if necessary, depending on
what encryption scheme you're using)
Add an encrypt rule on each firewall as follows;
For FWMachine A
SOURCE  DEST            Action  Log
NetA            NetA            Encrypt Whatever you want, Long
NetB            NetB

You'll still need to check the properties of your encryption action, and
your policy properties to make sure everything is set up right, but those
are the basic steps..  Check out http://www.phoneboy.com/fw1/encryption.html
for more detailed information.

Jeff Jarmoc - CCNA, MCSE
Network Analyst - Grubb & Ellis
847.753.7617
mailto:[EMAIL PROTECTED]


-----Original Message-----
From: Steve [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 29, 2000 9:40 AM
To: [EMAIL PROTECTED]
Subject: [FW1] VPN Between Two Illegal Networks




Hi,

Is it possible to set up a VPN between two illegal internal networks that
routes across the Internet?

Example:

netA -- (le0) FWmachineA (le1) -- internet -- (le1) FWmachineB (le0) -- netB


Where:

netA is an illegal internal network
netB is an illegal internal network

FWmachineA le1 has a valid Class C IP address
FWmachineB le1 has a valid Class C IP address

With an encrypted VPN how does a host on netA route to a host on netB
(without using NAT - not enough class C addresses available)?

Cheers,

-Steve




============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to