[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] address translation/encryption timing question
I have a customer site that is both Internet accessible and also accessible across a dedicated private T1. Our employees access the site via one of 2 methods. #1: a frame relay WAN - hub and spoke topology then thru a central managed T1 Internet connection or directly via the internet, some of our sites are connected to the our corporate offices by Checkpoint IKE site-to-site VPN (no frame). Additionally, many vendors access the site via the Internet, not just my company. #2 The customer has allowed us to connect 1 frame site to them via a dedicated T1. One frame relay connected site access the customer servers via this dedicated T1/ Because performance is better, the customer now wants to allow one of our VPN only sites to connect to them via the dedicated T1. They are adamant about restricting access via the dedicated T1 to only the 1 frame site and the 1 VPN only site. I accomplished this. I modified the encryption domain of the Frame hub site to include the networks of the customer's servers. I also included a dummy network. I use address translation at the VPN only site to intercept requests for the customer server and translate the customer server addresses into the dummy range. When the traffic reaches the frame hub site, I direct the dummy addresses to the checkpoint Firewall that is between us and the customer, and then translate the dummy addresses back to live ones. This all works fine. Our frame connected sites not allowed to use the dedicated T1, access the customer servers via the frame network find the servers via the Internet. The 1 VPNed site and the one frame site that are to utilize the dedicated T1 access the customer servers fine as well. I suspect I will have a problem with our other sites that are VPN only connected to the corporate office. This is because I have to include the customer server's live addresses in the corporate office's encryption domain. Since all sites have to connect to the corporate office, all sites will encrypt traffic to the customer servers since the addresses are in the COs encryption domain. I am trying to fins a way to force address translation to occur BEFORE encryption on the VPN only sites. If I could do this, I could use dummy networks only to represent the customer servers and therefore not confuse VPN only sites that access the customer servers via the Internet. ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|