[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] Re: One-way VPN
You're right it doesn't make any sense to have a rule back. The mistake was mine to use ping as a test of the VPN. The echo-response does need a rule back. However other protocols such as ftp, http (the ones I want to use) are taken care of with a single rule. Thanks to everyone for the help. -Steve Watts System Administrator Email: [email protected] Tel: +44 20 7389 4075 Fax: +44 20 7389 4014 > -----Original Message----- > From: Murphy, Paul [mailto:[email protected]] > Sent: 16 October 2000 09:51 > To: 'Steve'; [email protected] > Subject: RE: One-way VPN > > > > This is interesting, because I have discovered that it *does* > work with a > single-way encryption. > > I have a double NAT on one side, and at least a single NAT on > the other > (this is a third party's network). > > The packet makes it back through all of this without issue > (except where I > have the other problem entitled "VPN and NAT Problem"). > > From my point of view, the Encrypt rule works in essence > exactly the same as > an Accept, except that the packet is tunneled during the > journey between the > two firewalls. The return packet is handled just like the > return packet > from any other rule. > > It just doesn't make any sense to assume that you need a back > connection > defined. If your packets aren't getting back, then it is > more likely you > have a NAT, routing or rulebase issue. > > In case I am missing something, why does it matter that the > VPN sits between > two "invalid" networks? And what constitutes an invalid network? > > Paul. > > -----Original Message----- > From: Steve [mailto:[email protected]] > Sent: 13 October 2000 17:30 > To: [email protected] > Cc: [email protected] > Subject: re: One-way VPN > > > > The problem I've discovered by having only a one-way encrypt > is that the > packet never makes it back to the original VPN. > > This is because the VPN is between two invalid networks. > > As far as I can tell only an encrypt rule tells the Firewall > to wrap the > packet up and forward it onto the next gateway. But putting > an encrypt rule > to allow traffic to get back opens up the Remote-LAN to > traffic originating > in the DMZ. > > I'm confused because for the rest of the Firewall rulebase > everything can be > set depending on Originator and not have to worry about > return packet rules. > > Cheers, > > -Steve > > > All Firewall-1 rules are one-way, even encrypts. > > > > So if you have a rule saying > > > > Source Destination Service Action > > Remote-net DMZ-net http Encrypt > > > > This does not imply any connections can be instigated from > > the DMZ to the > > Remote LAN. > > > > Paul. > > > > > > -----Original Message----- > > From: Steve [mailto:[email protected]] > > Sent: 12 October 2000 17:41 > > To: [email protected] > > Subject: [FW1] One-way VPN > > > > > > > > Got a really tricky one here. > > > > I have a Firewall at HQ with three interfaces: > > > > LAN, DMZ and INTERNET. > > > > A remote Firewall with LAN and INTERNET only. > > > > I have successfully established a VPN between LANs. > > > > However I want to establish a VPN between the remote LAN and > > the DMZ at HQ. > > > > The problem is that it must be one way. i.e. Remote LAN can > > access DMZ. > > > > DMZ cannot access (initiate connection with) Remote LAN. > > > > At first we tried establishing a VPN between remote LAN and > > DMZ and then > > adding a rule on the remote side to drop all packetes > > originating from the > > DMZ. Unfortunately this dropped returning VPN packets that > > originated from > > remote LAN aswell as connections initiated from the DMZ. > > > > Is it possible to set up this sort of one way trust VPN? > > > > Cheers, > > > > -Steve > > > > -------------------------------------------------------------- > --------------------------------------------------------- > This e-mail is intended only for the above addressee. It may contain > privileged information. If you are not the addressee you must > not copy, > distribute, disclose or use any of the information in it. If you have > received it in error please delete it and immediately notify > the sender. > > evolvebank.com is a division of Lloyds TSB Bank plc. > Lloyds TSB Bank plc, 71 Lombard Street, London EC3P 3BS. > Registered in > England, number 2065. Telephone No: 020 7626 1500 > Lloyds TSB Scotland plc, Henry Duncan House, 120 George Street, > Edinburgh EH2 4LH. Registered in Scotland, number 95237. Telephone > No:> > Lloyds TSB Bank plc and Lloyds TSB Scotland plc are regulated by the > Personal Investment Authority and represent only the Scottish Widows > and Lloyds TSB Marketing Group for life assurance, pensions and > investment business. > > Members of the UK Banking Ombudsman Scheme and signatories to the UK > Banking Code. > -------------------------------------------------------------- > --------------------------------------------------------- > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|