Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] GRE Decoding

To: [email protected]
Subject: Re: [FW1] GRE Decoding
From: Vitaly Fedrushkov <[email protected]>
Date: Tue, 13 Feb 2001 00:51:04 +0500 (YEKT)
Cc: [email protected]
In-reply-to: <EEB039809FDDD211B0150008C707A9F501A96C92@bmieont600.bmieo.bmwhem.bakernet.com>
Sender: [email protected]

Good $daytime,

> Date: Tue, 6 Feb 2001 15:57:33 -0600 
> From: [email protected]
> To: [email protected]
> Subject: [FW1] GRE Decoding

> We are looking to implemenet Cisco-Cisco Tunnels between sites that
> are connected via Frame Relay AND a FW-1 VPN tunnel. The reason
> being is that we can control routing decisions at each cisco by
> having the remote LAN available via a Frame Relay (128Mbs) and a T-1
> to the internet on each side with a VPN tunnel. It's hard to
> describe in brief in an email, but that's not the point....

Side note: there are other ways to peer non-adjacent Cisco routers.
If your only intent is to exchange routing data, you probably don't
need to encapsulate all traffic in between.

> The point is: with the Cisco to Cisco tunnel, it will encapsulate
> everything in GRE. So, in the FW logs, I will see GRE traffic from
> router to router, and not HTTP/FTP/Netbios/etc traffic from host to
> host. Does anybody know a way for the FW to decode that encapsulated
> packet when it writes into the logs. If everything is in GRE, it
> will minimize the ability of the FW logs for troubleshooting and
> management. It's not a show stopper, but I would like to know if
> it's possible.

That is why you'd better put VPNs _before_ and firewalls _after_
tunnels of any kind (assuming you're looking from outside :).

  Regards,
  Willy.

--
"No easy hope or lies        | Vitaly "Willy the Pooh" Fedrushkov
 Shall bring us to our goal, | Control Systems and Processes Division
 But iron sacrifice          | LUKOIL Company, Chelyabinsk Branch
 Of Body, Will and Soul."    | mailto:[email protected]  +7 3512 620367
                   R.Kipling | 



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] GRE Decoding
  - From: [email protected]

Prev by Date: [FW1] SYNDefender Questions...
Next by Date: RE: [FW1] FTP problems
Previous by thread: Re: [FW1] GRE Decoding
Next by thread: [FW1] Scanner found Firewall-1 S/Key Authentication Vulnerability
Index(es):
- Date
- Thread