NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] One-way VPN



Hi Steve,

I have a couple of DMZs that users have to access from
other sites across the VPN.  What I normally do is:

1.  Make sure the DMZ is in the encryption zone
2.  Set up encryption between sites, with no
restrictions.
3.  Place a rule above the encrypt rules, that blocks
all packets to all of my encryption zones.  This rule
is placed on the fw where the DMZ is.
4.  You also have to check your NAT rules, and make
sure the address of the packet coming back is one
that's in the encrypt rule on the far side.
5.  Test from a machine in the DMZ that you can't
access the other sites, or the internal net where the
DMZ is.

Don't think I've missed anything here.  Let me know if
you still have problems.

HTH,
Pete Goodridge

--- Steve <[email protected]> wrote:
> 
> Got a really tricky one here.
> 
> I have a Firewall at HQ with three interfaces:
> 
> LAN, DMZ and INTERNET.
> 
> A remote Firewall with LAN and INTERNET only.
> 
> I have successfully established a VPN between LANs.
> 
> However I want to establish a VPN between the remote
> LAN and the DMZ at HQ.
> 
> The problem is that it must be one way. i.e. Remote
> LAN can access DMZ.
> 
> DMZ cannot access (initiate connection with) Remote
> LAN.
> 
> At first we tried establishing a VPN between remote
> LAN and DMZ and then adding a rule on the  remote
> side to drop all packetes originating from the DMZ.
> Unfortunately this dropped returning VPN packets
> that originated from remote LAN aswell as
> connections initiated from the DMZ.
> 
> Is it possible to set up this sort of one way trust
> VPN?
> 
> Cheers,
> 
> -Steve
> 
> 


__________________________________________________
Do You Yahoo!?
Get Yahoo! Mail - Free email you can access from anywhere!
http://mail.yahoo.com/


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.