Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] VPN Source Address Issue

To: Neil Pike <[email protected]>
Subject: Re: [FW1] VPN Source Address Issue
From: CryptoTech <[email protected]>
Date: Thu, 14 Dec 2000 17:49:09 -0500
Cc: "[email protected]" <[email protected]>
References: <[email protected]>
Reply-to: [email protected]
Sender: [email protected]

Neil,
This sounds simple enough (except for the 17.1, 17.2 and 171.1 info seems
inconsistent -- probably a typo.)
Create a rule for each firewall
SRC        DST        SVC        XLSRC    XLDST    INSTALL ON
site1        site2         any            orig            orig        site1firewall
site2        site2         any            orig            orig        site2firewall

And you should be set.  One point - the packets are still encapsulated, but without
the above spec, they are translated, and then encapsulated.  This would allow
networks with similar ip addresses to still VPN.

CryptoTech

Neil Pike wrote:

>  I've got an IKE 3DES VPN over the internet working between two sites.
> Both sites form part of an illegal addressing scheme (but are compatible
> with each other) e.g. one is 17.1.x.x and the other is 17.2.x.x.  Both have
> FW-1 4.1 SP2 devices connecting to the internet, with an internal 17.x.x.x
> interface and an external ISP assigned interface.  One site is self
> contained, the other forms part of a much larger WAN environment.
>
>  It all works fine whilst the default gateway for the hosts either side is
> the firewall itself, but when I tried to connect to other subnets connected
> to the large WAN environment it failed.  On investigation this was because
> the packets from the 17.1.x.x network exiting the firewall on the 17.2.x.x
> network did not have the original 171.1.x.x source address, but instead
> still had the internet facing address of the original firewall, which is
> non-routable to the internal network.
>
>  Is there any way to get the packets "truly" encapsulated, such that when
> they exit the firewall they have the original source IP address, which is
> what I need in this instance to route them back.
>
>  Hope this is a reasonably clear explanation.
>
>  Neil Pike
>  Protech Computing Ltd
>
>
>
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>               http://www.checkpoint.com/services/mailing.html
> ================================================================================



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] VPN Source Address Issue
  - From: Neil Pike <[email protected]>

Prev by Date: Re: [FW1] Problem with secure remote
Next by Date: RE: [FW1] fw-1 rainwall and secureclient
Previous by thread: [FW1] VPN Source Address Issue
Next by thread: [FW1] SNMP on FW-1 machine
Index(es):
- Date
- Thread