Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] RE: One-way VPN

To: "'Steve'" <[email protected]>, [email protected]
Subject: [FW1] RE: One-way VPN
From: "Murphy, Paul" <[email protected]>
Date: Mon, 16 Oct 2000 09:51:21 +0100
Sender: [email protected]


This is interesting, because I have discovered that it *does* work with a
single-way encryption.

I have a double NAT on one side, and at least a single NAT on the other
(this is a third party's network).

The packet makes it back through all of this without issue (except where I
have the other problem entitled "VPN and NAT Problem").

>From my point of view, the Encrypt rule works in essence exactly the same as
an Accept, except that the packet is tunneled during the journey between the
two firewalls.  The return packet is handled just like the return packet
from any other rule.

It just doesn't make any sense to assume that you need a back connection
defined.  If your packets aren't getting back, then it is more likely you
have a NAT, routing or rulebase issue.

In case I am missing something, why does it matter that the VPN sits between
two "invalid" networks?  And what constitutes an invalid network?

Paul.

-----Original Message-----
From: Steve [mailto:[email protected]]
Sent: 13 October 2000 17:30
To: [email protected]
Cc: [email protected]
Subject: re: One-way VPN



The problem I've discovered by having only a one-way encrypt is that the
packet never makes it back to the original VPN.

This is because the VPN is between two invalid networks.

As far as I can tell only an encrypt rule tells the Firewall to wrap the
packet up and forward it onto the next gateway. But putting an encrypt rule
to allow traffic to get back opens up the Remote-LAN to traffic originating
in the DMZ.

I'm confused because for the rest of the Firewall rulebase everything can be
set depending on Originator and not have to worry about return packet rules.

Cheers,

-Steve

> All Firewall-1 rules are one-way, even encrypts.
>
> So if you have a rule saying
>
>     Source            Destination        Service        Action
>     Remote-net    DMZ-net            http            Encrypt
>
> This does not imply any connections can be instigated from
> the DMZ to the
> Remote LAN.
>
> Paul.
>
>
> -----Original Message-----
> From: Steve [mailto:[email protected]]
> Sent: 12 October 2000 17:41
> To: [email protected]
> Subject: [FW1] One-way VPN
>
>
>
> Got a really tricky one here.
>
> I have a Firewall at HQ with three interfaces:
>
> LAN, DMZ and INTERNET.
>
> A remote Firewall with LAN and INTERNET only.
>
> I have successfully established a VPN between LANs.
>
> However I want to establish a VPN between the remote LAN and
> the DMZ at HQ.
>
> The problem is that it must be one way. i.e. Remote LAN can
> access DMZ.
>
> DMZ cannot access (initiate connection with) Remote LAN.
>
> At first we tried establishing a VPN between remote LAN and
> DMZ and then
> adding a rule on the  remote side to drop all packetes
> originating from the
> DMZ. Unfortunately this dropped returning VPN packets that
> originated from
> remote LAN aswell as connections initiated from the DMZ.
>
> Is it possible to set up this sort of one way trust VPN?
>
> Cheers,
>
> -Steve



-----------------------------------------------------------------------------------------------------------------------
This e-mail is intended only for the above addressee.  It may contain
privileged information. If you are not the addressee you must not copy,
distribute, disclose or use any of the information in it.  If you have
received it in error please delete it and immediately notify the sender.

evolvebank.com is a division of Lloyds TSB Bank plc.
Lloyds TSB Bank plc, 71 Lombard Street, London EC3P 3BS.  Registered in
England, number 2065.  Telephone No: 020 7626 1500
Lloyds TSB Scotland plc, Henry Duncan House, 120 George Street,
Edinburgh EH2 4LH.  Registered in Scotland, number 95237.  Telephone
No:Lloyds TSB Bank plc and Lloyds TSB Scotland plc are regulated by the
Personal Investment Authority and represent only the Scottish Widows
and Lloyds TSB Marketing Group for life assurance, pensions and
investment business.

Members of the UK Banking Ombudsman Scheme and signatories to the UK
Banking Code.
-----------------------------------------------------------------------------------------------------------------------


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] URLS changed to IP addresses
Next by Date: RE: [FW1] Auto logout of Policy Editor?
Previous by thread: [FW1] Re: One-way VPN
Next by thread: [FW1] Re: One-way VPN
Index(es):
- Date
- Thread