[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] RE: One-way VPN
This is interesting, because I have discovered that it *does* work with a single-way encryption. I have a double NAT on one side, and at least a single NAT on the other (this is a third party's network). The packet makes it back through all of this without issue (except where I have the other problem entitled "VPN and NAT Problem"). >From my point of view, the Encrypt rule works in essence exactly the same as an Accept, except that the packet is tunneled during the journey between the two firewalls. The return packet is handled just like the return packet from any other rule. It just doesn't make any sense to assume that you need a back connection defined. If your packets aren't getting back, then it is more likely you have a NAT, routing or rulebase issue. In case I am missing something, why does it matter that the VPN sits between two "invalid" networks? And what constitutes an invalid network? Paul. -----Original Message----- From: Steve [mailto:[email protected]] Sent: 13 October 2000 17:30 To: [email protected] Cc: [email protected] Subject: re: One-way VPN The problem I've discovered by having only a one-way encrypt is that the packet never makes it back to the original VPN. This is because the VPN is between two invalid networks. As far as I can tell only an encrypt rule tells the Firewall to wrap the packet up and forward it onto the next gateway. But putting an encrypt rule to allow traffic to get back opens up the Remote-LAN to traffic originating in the DMZ. I'm confused because for the rest of the Firewall rulebase everything can be set depending on Originator and not have to worry about return packet rules. Cheers, -Steve > All Firewall-1 rules are one-way, even encrypts. > > So if you have a rule saying > > Source Destination Service Action > Remote-net DMZ-net http Encrypt > > This does not imply any connections can be instigated from > the DMZ to the > Remote LAN. > > Paul. > > > -----Original Message----- > From: Steve [mailto:[email protected]] > Sent: 12 October 2000 17:41 > To: [email protected] > Subject: [FW1] One-way VPN > > > > Got a really tricky one here. > > I have a Firewall at HQ with three interfaces: > > LAN, DMZ and INTERNET. > > A remote Firewall with LAN and INTERNET only. > > I have successfully established a VPN between LANs. > > However I want to establish a VPN between the remote LAN and > the DMZ at HQ. > > The problem is that it must be one way. i.e. Remote LAN can > access DMZ. > > DMZ cannot access (initiate connection with) Remote LAN. > > At first we tried establishing a VPN between remote LAN and > DMZ and then > adding a rule on the remote side to drop all packetes > originating from the > DMZ. Unfortunately this dropped returning VPN packets that > originated from > remote LAN aswell as connections initiated from the DMZ. > > Is it possible to set up this sort of one way trust VPN? > > Cheers, > > -Steve ----------------------------------------------------------------------------------------------------------------------- This e-mail is intended only for the above addressee. It may contain privileged information. If you are not the addressee you must not copy, distribute, disclose or use any of the information in it. If you have received it in error please delete it and immediately notify the sender. evolvebank.com is a division of Lloyds TSB Bank plc. Lloyds TSB Bank plc, 71 Lombard Street, London EC3P 3BS. Registered in England, number 2065. Telephone No: 020 7626 1500 Lloyds TSB Scotland plc, Henry Duncan House, 120 George Street, Edinburgh EH2 4LH. Registered in Scotland, number 95237. Telephone No:Lloyds TSB Bank plc and Lloyds TSB Scotland plc are regulated by the Personal Investment Authority and represent only the Scottish Widows and Lloyds TSB Marketing Group for life assurance, pensions and investment business. Members of the UK Banking Ombudsman Scheme and signatories to the UK Banking Code. ----------------------------------------------------------------------------------------------------------------------- ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|