[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] One-way VPN
Hi Steve, I have a couple of DMZs that users have to access from other sites across the VPN. What I normally do is: 1. Make sure the DMZ is in the encryption zone 2. Set up encryption between sites, with no restrictions. 3. Place a rule above the encrypt rules, that blocks all packets to all of my encryption zones. This rule is placed on the fw where the DMZ is. 4. You also have to check your NAT rules, and make sure the address of the packet coming back is one that's in the encrypt rule on the far side. 5. Test from a machine in the DMZ that you can't access the other sites, or the internal net where the DMZ is. Don't think I've missed anything here. Let me know if you still have problems. HTH, Pete Goodridge --- Steve <[email protected]> wrote: > > Got a really tricky one here. > > I have a Firewall at HQ with three interfaces: > > LAN, DMZ and INTERNET. > > A remote Firewall with LAN and INTERNET only. > > I have successfully established a VPN between LANs. > > However I want to establish a VPN between the remote > LAN and the DMZ at HQ. > > The problem is that it must be one way. i.e. Remote > LAN can access DMZ. > > DMZ cannot access (initiate connection with) Remote > LAN. > > At first we tried establishing a VPN between remote > LAN and DMZ and then adding a rule on the remote > side to drop all packetes originating from the DMZ. > Unfortunately this dropped returning VPN packets > that originated from remote LAN aswell as > connections initiated from the DMZ. > > Is it possible to set up this sort of one way trust > VPN? > > Cheers, > > -Steve > > __________________________________________________ Do You Yahoo!? Get Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|