RE: [FW1] One-way VPN

[LO GUIDICE, Yannick]

Isn'it it possible to specify a rule with the value of the ACK bit ? This
way, you should be able to make the differences between the packets
initiating connections form the DMZ to the LAN (ACK=0) and packets beeing
part of a connection (LAN<->DMZ : ACK=1).
I'm not familiar enough with FW1 to be more specific, also you should look
at that.
 

-----Original Message-----
From: Steve [mailto:[EMAIL PROTECTED]]
Sent: jeudi 12 octobre 2000 18:41
To: [EMAIL PROTECTED]
Subject: [FW1] One-way VPN


 
Got a really tricky one here.
 
I have a Firewall at HQ with three interfaces:
 
LAN, DMZ and INTERNET.
 
A remote Firewall with LAN and INTERNET only.
 
I have successfully established a VPN between LANs.
 
However I want to establish a VPN between the remote LAN and the DMZ at HQ.
 
The problem is that it must be one way. i.e. Remote LAN can access DMZ.
 
DMZ cannot access (initiate connection with) Remote LAN.
 
At first we tried establishing a VPN between remote LAN and DMZ and then
adding a rule on the  remote side to drop all packetes originating from the
DMZ. Unfortunately this dropped returning VPN packets that originated from
remote LAN aswell as connections initiated from the DMZ.
 
Is it possible to set up this sort of one way trust VPN?
 
Cheers,
 
-Steve
 


**************************************************************************
CONFIDENTIALITY:
This e-mail and any files transmitted with it are confidential and intended solely for 
the use of the individual or entity to whom they are addressed. If you are not the 
intended recipient or the person responsible for delivering the e-mail to the intended 
recipient, you are advised that you have received this e-mail in error and that any 
use, dissemination, forwarding, printing or copying of this e-mail is strictly 
prohibited. If you have received this e-mail in error please notify: 
[EMAIL PROTECTED]
**************************************************************************

Isn'it it possible to specify a rule with the value of the ACK bit ? This way, you should be able to make the differences between the packets initiating connections form the DMZ to the LAN (ACK=0) and packets beeing part of a connection (LAN<->DMZ : ACK=1). I'm not familiar enough with FW1 to be more specific, also you should look at that.   -----Original Message----- From: Steve [mailto:[EMAIL PROTECTED]] Sent: jeudi 12 octobre 2000 18:41 To: [EMAIL PROTECTED] Subject: [FW1] One-way VPN   Got a really tricky one here.   I have a Firewall at HQ with three interfaces:   LAN, DMZ and INTERNET.   A remote Firewall with LAN and INTERNET only.   I have successfully established a VPN between LANs.   However I want to establish a VPN between the remote LAN and the DMZ at HQ.   The problem is that it must be one way. i.e. Remote LAN can access DMZ.   DMZ cannot access (initiate connection with) Remote LAN.   At first we tried establishing a VPN between remote LAN and DMZ and then adding a rule on the  remote side to drop all packetes originating from the DMZ. Unfortunately this dropped returning VPN packets that originated from remote LAN aswell as connections initiated from the DMZ.   Is it possible to set up this sort of one way trust VPN?   Cheers,   -Steve