Re: [FW1] VPN Between Two Illegal Networks

Scott Schindler Tue, 29 Aug 2000 12:30:34 -0700

This is correct, unless your network objects dissallow broadcast traffic
which is the prefered method for creating network objects.

I however completely agree with Tom.  The courseware teaches us to put both
rules on the same line, which though acceptable can lead to exactly what Tom
is describing.

----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Tuesday, August 29, 2000 2:08 PM
Subject: RE: [FW1] VPN Between Two Illegal Networks


>
> When you use the encryption such as below in the same rule
>
> neta netb  encrypt
> netb neta  encrypt
>
> What happens is the fw will attempt to encrypt broadcast traffic to
> itself
> and will fail, hence giving the "connected to same gateway error"
>
> Seperating this into two seperate rules keeps this from happening. More
> of
> an eyesore than anything.
>
> Thomas Poole
>
> -----Original Message-----
> From: Jarmoc, Jeff [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, August 29, 2000 2:05 PM
> To: 'Frank Darden'; 'Peter Currall';
> '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'
> Subject: RE: [FW1] VPN Between Two Illegal Networks
>
>
>
> I've only seen that message you're referring too when the encryption
> domains
> overlap, but I may be mistaken.
>
> -----Original Message-----
> From: Frank Darden [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, August 29, 2000 12:05 PM
> To: Jarmoc, Jeff; 'Peter Currall';
> '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'
> Subject: RE: [FW1] VPN Between Two Illegal Networks
>
>
> It has been my understanding that if you do this with one rule, youll
> get
> the "Gateway connected to both endpoints" failures, but encryption will
> still work.
>
> Frank
>
> -----Original Message-----
> From: Jarmoc, Jeff [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, August 29, 2000 12:26 PM
> To: 'Peter Currall'; '[EMAIL PROTECTED]';
> '[EMAIL PROTECTED]'
> Subject: RE: [FW1] VPN Between Two Illegal Networks
>
>
>
> Well, I meant that as one rule, not two..  my apologies if I wasn't
> clear.
> Either way will work, though I'd prefer to keep my rulebase smaller.
>
> -----Original Message-----
> From: Peter Currall [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, August 29, 2000 10:51 AM
> To: '[EMAIL PROTECTED]';
> '[EMAIL PROTECTED]'
> Subject: RE: [FW1] VPN Between Two Illegal Networks
>
>
>
> I think that should be:
>
> NetA to NetB encrypt
> NetB to NetA encrypt
>
> You also need to consider NAT on the firewall if you are using Hide Mode
> NAT
> for your internal network clients (to surf the web):
>
> Original packet Translated packet
> Source Dest Service   Source
> Dest Serv
> Net_Int Net_Int Any     =original orig.
> orig.
> net_int any any    [object you are hiding behind)
> orig. orig.
>
> I'd recommend IKE as you encryption method for compatibility with other
> firewalls.
>
>
> -----Original Message-----
> From: Jarmoc, Jeff [mailto:[EMAIL PROTECTED]]
> Sent: 29 August 2000 16:11
> To: 'Steve'; [EMAIL PROTECTED]
> Subject: RE: [FW1] VPN Between Two Illegal Networks
>
>
>
> That's pretty much the best reason to use VPNs in my opinion.  You'll
> have
> to use some sort of NAT though.  If their aren't enough IPs in your
> routable
> Class C, use Hide mode NAT. Here's what you need to do;
>
> Set NetA's network object as FWmachineA's encryption domain
> Set NetB's network object as FWmachineB's encryption domain
> Make sure each firewall has encapsulation on (if necessary, depending on
> what encryption scheme you're using)
> Add an encrypt rule on each firewall as follows;
> For FWMachine A
> SOURCE DEST Action Log
> NetA NetA Encrypt Whatever you want, Long
> NetB NetB
>
> You'll still need to check the properties of your encryption action, and
> your policy properties to make sure everything is set up right, but
> those
> are the basic steps..  Check out
> http://www.phoneboy.com/fw1/encryption.html
> for more detailed information.
>
> Jeff Jarmoc - CCNA, MCSE
> Network Analyst - Grubb & Ellis
> 847.753.7617
> mailto:[EMAIL PROTECTED]
>
>
> -----Original Message-----
> From: Steve [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, August 29, 2000 9:40 AM
> To: [EMAIL PROTECTED]
> Subject: [FW1] VPN Between Two Illegal Networks
>
>
>
>
> Hi,
>
> Is it possible to set up a VPN between two illegal internal networks
> that
> routes across the Internet?
>
> Example:
>
> netA -- (le0) FWmachineA (le1) -- internet -- (le1) FWmachineB (le0) --
> netB
>
>
> Where:
>
> netA is an illegal internal network
> netB is an illegal internal network
>
> FWmachineA le1 has a valid Class C IP address
> FWmachineB le1 has a valid Class C IP address
>
> With an encrypted VPN how does a host on netA route to a host on netB
> (without using NAT - not enough class C addresses available)?
>
> Cheers,
>
> -Steve
>
>
>
>
> ========================================================================
> ====
> ====
>      To unsubscribe from this mailing list, please see the instructions
> at
>                http://www.checkpoint.com/services/mailing.html
> ========================================================================
> ====
> ====
>
>
> ========================================================================
> ====
> ====
>      To unsubscribe from this mailing list, please see the instructions
> at
>                http://www.checkpoint.com/services/mailing.html
> ========================================================================
> ====
> ====
>
>
> ========================================================================
> ====
> ====
>      To unsubscribe from this mailing list, please see the instructions
> at
>                http://www.checkpoint.com/services/mailing.html
> ========================================================================
> ====
> ====
>
>
> ========================================================================
> ====
> ====
>      To unsubscribe from this mailing list, please see the instructions
> at
>                http://www.checkpoint.com/services/mailing.html
> ========================================================================
> ====
> ====
>
>
> ========================================================================
> ====
> ====
>      To unsubscribe from this mailing list, please see the instructions
> at
>                http://www.checkpoint.com/services/mailing.html
> ========================================================================
> ====
> ====
>
>
> ========================================================================
> ========
>      To unsubscribe from this mailing list, please see the instructions
> at
>                http://www.checkpoint.com/services/mailing.html
> ========================================================================
> ========


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================
Re: [FW1] VPN Between Two Illegal Networks

Reply via email to
