NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] re: One-way VPN




The problem I've discovered by having only a one-way encrypt is that the
packet never makes it back to the original VPN.

This is because the VPN is between two invalid networks.

As far as I can tell only an encrypt rule tells the Firewall to wrap the
packet up and forward it onto the next gateway. But putting an encrypt rule
to allow traffic to get back opens up the Remote-LAN to traffic originating
in the DMZ.

I'm confused because for the rest of the Firewall rulebase everything can be
set depending on Originator and not have to worry about return packet rules.

Cheers,

-Steve

> All Firewall-1 rules are one-way, even encrypts.
>
> So if you have a rule saying
>
>     Source            Destination        Service        Action
>     Remote-net    DMZ-net            http            Encrypt
>
> This does not imply any connections can be instigated from
> the DMZ to the
> Remote LAN.
>
> Paul.
>
>
> -----Original Message-----
> From: Steve [mailto:[email protected]]
> Sent: 12 October 2000 17:41
> To: [email protected]
> Subject: [FW1] One-way VPN
>
>
>
> Got a really tricky one here.
>
> I have a Firewall at HQ with three interfaces:
>
> LAN, DMZ and INTERNET.
>
> A remote Firewall with LAN and INTERNET only.
>
> I have successfully established a VPN between LANs.
>
> However I want to establish a VPN between the remote LAN and
> the DMZ at HQ.
>
> The problem is that it must be one way. i.e. Remote LAN can
> access DMZ.
>
> DMZ cannot access (initiate connection with) Remote LAN.
>
> At first we tried establishing a VPN between remote LAN and
> DMZ and then
> adding a rule on the  remote side to drop all packetes
> originating from the
> DMZ. Unfortunately this dropped returning VPN packets that
> originated from
> remote LAN aswell as connections initiated from the DMZ.
>
> Is it possible to set up this sort of one way trust VPN?
>
> Cheers,
>
> -Steve




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.