Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] VPN and NAT Question

To: "'George Olney'" <[email protected]>, "'[email protected]'" <[email protected]>
Subject: RE: [FW1] VPN and NAT Question
From: "Murphy, Paul" <[email protected]>
Date: Fri, 20 Oct 2000 14:06:49 +0100
Sender: [email protected]

George,

You shouldn't have any  problems with your VPN and routing.  Ensure that
your encrypted connections are encapsulated (they probably are), then just
"pretend" that 192.168 addresses are routable across the internet.

So the packet arives at firewall A destined for 192.168.3.50, Firewall A
routes it to the internet.  However it then encapsulates it in a new packet
whose destination address is the valid external (internet routable) address
of Firewall B, and the source is the address of Firewall A.  Firewall B gets
the packet, decrypts it and drops it on the interface it has attached to the
192.168.3.0 network.

See?  It just works.  No need to worry.

Paul.


-----Original Message-----
From: George Olney [mailto:[email protected]]
Sent: 17 October 2000 19:07
To: '[email protected]'
Subject: [FW1] VPN and NAT Question



> Hi
> 
> I have a problem with setting up a VPN and NAT.
> 
> Have two Firewall-1 VPN's 4.1 SP1, NT Servers. Each residing at separate
> offices. We have configured the VPN option on both and have successfully
> exchanged Certificates/Keys. 
> 
> Firewall A has three network cards in, one attached to the internet with a
> valid IP address and two with IP addresses for two subnets 192.168.1.0 and
> 192.168.2.0 (i.e. 1.254 and 2.254)
> 
> Firewall B has two network cards, one attached to the internet with a
> valid Ip address and one with an IP address (192.168.3.254) for the subnet
> 192.168.3.0
> 
> We have two problems..
> 
> the first is that we cannot ping a server we have set up with NAT on our
> 3.0 network from the Internet, (even with all firewall rules relaxes i.e.
> allow everything) 
> If we ping the valid internet address of the server from the console on
> Firewall B, it resolves and replies.
> 
> The second, more important problem is..
> 
> how do I route encrypted traffic from Firewall A to Firewall B using the
> VPN - i.e. say my IP address is 192.168.1.200 on Firewall A and I want to
> speak to host 192.168.3.50 at the other office - what do I do? I have set
> the rule base up to encrypt traffic either way using a group  (i.e.
> grouping Networks 192.168.1.0 and 192.168.2.0 on Firewall A and
> 192.168.3.0 on Firewall B, allowing any traffic to be encrypted). So I
> think according to the manual the VPN seems to be okay.
> 
> It's just, I don't understand how you route traffic from say our
> 192.168.1.0 network on Firewall 1 to a server in the 192.168.3.0 network
> on Firewall2.  Normally, it is easy to do with the Firewall using 'route
> add' at the NT command prompt. 
> 
> The problem I have now is, how and where do I tell the Firewall A NT
> server how to route an invalid 192.168.3.x address to the Firewall B NT
> server over the internet. And, if I was successful in doing this, how do I
> ensure that when it gets to Firewall B, the firewall there can route
> 192.168.3.x traffic.
> 
> I guess what I am asking is, what is the process, from me typing
> 192.168.3.50 behind Firewall A to it getting passed via the VPN to
> Firewall B?
> 
> Our configuration is set up so that it treats Firewall B as an external
> network as per page 67 in the VPN Guide.
> 
> Please help. Even if it is a referral to a page in any of the Checkpoint
> books. I cannot find it!
> 
Thanks

George


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====
---------------------------------------------------------------------------------
This e-mail is intended only for the above addressee. It may contain
privileged information. If you are not the addressee you must not copy,
distribute, disclose or use any of the information in it. If you have
received it in error please delete it and immediately notify the
sender.

evolvebank.com is a division of Lloyds TSB Bank plc.
Lloyds TSB Bank plc, 71 Lombard Street, London EC3P 3BS.  Registered in
England, number 2065.  Telephone No: 020 7626 1500
Lloyds TSB Scotland plc, Henry Duncan House, 120 George Street,
Edinburgh EH2 4LH. Registered in Scotland, number 95237.  Telephone
No:Lloyds TSB Bank plc and Lloyds TSB Scotland plc are regulated by the
Personal Investment Authority and represent only the Scottish Widows
and Lloyds TSB Marketing Group for life assurance, pensions and
investment business.

Members of the UK Banking Ombudsman Scheme and signatories to the UK
Banking Code.
----------------------------------------------------------------------------------


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] logging
Next by Date: RE: [FW1] Authenticating to an NT domain through Checkpoint 4.1
Previous by thread: [FW1] VPN and NAT Question
Next by thread: [FW1] Restrict Firewall-1 management access to the Firewall
Index(es):
- Date
- Thread