RE: [FW1] using multiple encryption domains

[Gibson, Brian]

Phoneboy is correct. You can only have one encryption domain.  However you can use your rule base to simulate multiple encryption domains.   Let us assume that you have 4 networks.  One at each remote site(Nets A and B) and 2 Internal networks(Nets A1 and B1), one for each remote network.   What you would do is create a group that includes Nets A1 and B1.  That group object will be the encryption domain for the main Firewall.  You would then set up rules on the remote Firewalls that would allow ONLY traffic destined for the proper network to pass the VPN.  If you consider the remote FWs as being untrusted then create the rule on the local net.   You should consider the encryption domains merely to be a routing device.  They tell the FW which networks need to be encrypted and forwarded.   Your rule base is what is decides which packets should be forwarded or not. -----Original Message----- From: Elaine Lolos [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 07, 2001 6:55 PM To: [EMAIL PROTECTED] Subject: [FW1] using multiple encryption domains Hello,   I have a question regarding multiple encryption domains.   I read the note on the Phone boy site ("Creating Multiple Encryption Domains"), that says you cannot create multiple encryption domains for the same firewall, but you can create your rules in such a way to get that effect.   I was just looking for some clarification on this -   If my firewall object's definition says that its encryption domain is, say NetworkA, then will encryption rules that specificy another network, say NetworkB, still work?   I have two remote sites that I need to provide VPN access with, but to two different internal networks of mine.   One remote site is already set up and working.  I  have encryption rules between that site and my NetworkA.   Another remote site I now want to set up with access to NetworkB.  If I add encryption rules between their site and my NetworkB, how does NetworkB get associated with my firewall object?  That is, how do the rules determine which firewall object is protecting NetworkB?   Could (but only if I needed to) create another internal firewall object with the same IP as my original firewall object, and specify its encryption domain as NetworkB?   Please advise.   Thank you, Elaine