[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Gauntlet VPN through FW-1




Craig,

Unfortunately if you check out the IETF RFC for the IPSec protocol you'll
see that one of the restrictions of the protocol suite is that it can't be
NAT'd. I ran into this problem in my last job and it's a real pisser.

We did someone research into routing IPSec over GRE but the only OS we
managed to get it to even half work on was BSD.

You'll have to use another VPN protocol.

Regards

James

> -----Original Message-----
> From: Little, Craig (SSI-SIAP-NP5) [mailto:[email protected]]
> Sent: 06 September 2000 05:23
> To: [email protected]
> Subject: [FW1] Gauntlet VPN through FW-1
> 
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Does anyone have any experience allowing Gauntlet VPN traffic to pass
> through Firewall-1 unobstructed? The problem is thus:
> 
> We have a 'partner' company who wants to utilise our connection to
> the internet (for a fee), and get rid of their own connection. So far
> we've been successful swapping MX pointers and mail-bagging for them,
> and providing Web proxy services (both fairly easy to implement), but
> we have a problem delivering their IPSec traffic.
> 
> The external interface of their Gauntlet firewall will be an RFC 1918
> address in the 192.168.x.x range. We need to somehow NAT the traffic
> to them without breaking the tunnel (ESTD).
> 
> I have a proxy arp set up on the external interface of our firewall
> for their VPN clients to connect to, and I am NATing that address to
> the external address of the Gauntlet firewall. I am getting the
> traffic and passing it on (it hits the router at the far end), but
> doesn't seem to set up a tunnel.
> 
> They are using IKE with ESP, so I didn't expect the NAT to have any
> effect - but I don't know enough about Gauntlet to know how that
> works (or doesn't).
> 
> Has anyone got any experience in setting up this kind of convoluted
> system. Unfortunately, I'm not likely to convince them to buy an
> IP330 to solve the problem...
> 
> 
> Kind Regards,
> 
> Craig Little BSc, CPD, CPI, SCJP, CCSA, CCSE
> Inter-Networking / Security Consultant
> 
> Shell Services International
> 
> Phone:	+64 4 462 4661
> Fax:	+64 4 463 4060
> Mobile:	+64 21 37 5858
> PGP Fingerprint F3CE 6EB2 6B1A 10EA E355  A157 8012 D53A 6AE5 962F
> mailto:[email protected]
> http://www.shellservices.com
> 
> By default attachments are compressed in WinZip format. If you cannot
> read them, please contact you Help Desk to have the WinZip utility
> installed. WinZip can be downloaded for free at
> http://www.winzip.com.
> 
> This e-mail message and attachments are confidential between the
> intended parties and may be subject to legal privilege.  If you have
> received this e-mail in error, please advise the sender immediately
> and destroy the message and any attachments.  If you are not the
> intended recipient you are notified that any use, distribution,
> amendment, copying or any action taken or omitted to be taken in
> reliance of this message or attachments is prohibited.
> 
> 
> 
> - -----Original Message-----
> From: Mark Ingles [mailto:[email protected]]
> Sent: Wednesday, 6 September 2000 3:02 p.m.
> To: Rajesh Bandar; [email protected]
> Subject: Re: [FW1] Security question
> 
> 
> 
> If your web server is exploited, then the attacker will have
> unrestricted 
> access to your internal network. A better solution would be to place
> the 
> web server in a "public network" or DMZ where the evil Internet only
> has 
> access to its http server, but the web server itself doesn't have any
> access to your internal network. This way, when your server is
> hacked, the 
> attacker still has to go through the firewall to get to the internal
> network.
> 
> HTH - Mark Ingles
> 
> At 10:02 PM 9/5/2000, Rajesh Bandar wrote:
> 
> >Hi All,
> >
> >I have a web server running on the internal network (172.16.0.6). I
> >want to allow internet people to access the web server. So I am
> >thinking to do NAT  for
> >the web server host and allow http service. Are there any security
> >issues  if I
> >do that.
> >
> >I would appreciate any suggestions on this.
> >
> >Thanks,
> >Rajesh.
> 
> 
> 
> ======================================================================
> ==========
>      To unsubscribe from this mailing list, please see the
> instructions at
>                http://www.checkpoint.com/services/mailing.html
> ======================================================================
> ==========
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
> 
> iQA/AwUBObUdLIAS1Tpq5ZYvEQK1GACg0KLYCsGypURtDq0HTtSmA1EgFtgAoIVW
> nDvVY8sggF4OLB4zm6KKs4lW
> =Bzhv
> -----END PGP SIGNATURE-----
> 
> 
> ==============================================================
> ==================
>      To unsubscribe from this mailing list, please see the 
> instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==============================================================
> ==================
> 

==============================================================================
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. All information is the view of the individual and not necessarily the company. If you are not the intended recipient you are hereby notified that any dissemination, distribution, or copying of this communication and its attachments is strictly prohibited. If you have received this email in error please notify: 
[email protected]


==============================================================================



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================