[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] VPN Source Address Issue
Neil, This sounds simple enough (except for the 17.1, 17.2 and 171.1 info seems inconsistent -- probably a typo.) Create a rule for each firewall SRC DST SVC XLSRC XLDST INSTALL ON site1 site2 any orig orig site1firewall site2 site2 any orig orig site2firewall And you should be set. One point - the packets are still encapsulated, but without the above spec, they are translated, and then encapsulated. This would allow networks with similar ip addresses to still VPN. CryptoTech Neil Pike wrote: > I've got an IKE 3DES VPN over the internet working between two sites. > Both sites form part of an illegal addressing scheme (but are compatible > with each other) e.g. one is 17.1.x.x and the other is 17.2.x.x. Both have > FW-1 4.1 SP2 devices connecting to the internet, with an internal 17.x.x.x > interface and an external ISP assigned interface. One site is self > contained, the other forms part of a much larger WAN environment. > > It all works fine whilst the default gateway for the hosts either side is > the firewall itself, but when I tried to connect to other subnets connected > to the large WAN environment it failed. On investigation this was because > the packets from the 17.1.x.x network exiting the firewall on the 17.2.x.x > network did not have the original 171.1.x.x source address, but instead > still had the internet facing address of the original firewall, which is > non-routable to the internal network. > > Is there any way to get the packets "truly" encapsulated, such that when > they exit the firewall they have the original source IP address, which is > what I need in this instance to route them back. > > Hope this is a reasonably clear explanation. > > Neil Pike > Protech Computing Ltd > > > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|