NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] address translation/encryption timing question



I have a customer site that is both Internet accessible and also accessible
across a dedicated private T1.  Our employees access the site via one of 2
methods.

#1: a frame relay WAN - hub and spoke topology then thru a central managed
T1 Internet connection or directly via the internet, some of our sites are
connected to the our corporate offices by Checkpoint IKE site-to-site VPN
(no frame).  Additionally, many vendors access the site via the Internet,
not just my company.

#2 The customer has allowed us to connect 1 frame site to them via a
dedicated T1.  One frame relay connected site access the customer servers
via this dedicated T1/

Because performance is better, the customer now wants to allow one of our
VPN only sites to connect to them via the dedicated T1.  They are adamant
about restricting access via the dedicated T1 to only the 1 frame site and
the 1 VPN only site.

I accomplished this.  I modified the encryption domain of the Frame hub site
to include the networks of the customer's servers.  I also included a dummy
network.

I use address translation at the VPN only site to intercept requests for the
customer server and translate the customer server addresses into the dummy
range.  When the traffic reaches the frame hub site, I direct the dummy
addresses to the checkpoint Firewall that is between us and the customer,
and then translate the dummy addresses back to live ones.

This all works fine.  Our frame connected sites not allowed to use the
dedicated T1, access the customer servers via the frame network find the
servers via the Internet.  The 1 VPNed site and the one frame site that are
to utilize the dedicated T1 access the customer servers fine as well.

I suspect I will have a problem with our other sites that are VPN only
connected to the corporate office.  This is because I have to include the
customer server's live addresses in the corporate office's encryption
domain.  Since all sites have to connect to the corporate office, all sites
will encrypt traffic to the customer servers since the addresses are in the
COs encryption domain.

I am trying to fins a way to force address translation to occur BEFORE
encryption on the VPN only sites.  If I could do this, I could use dummy
networks only to represent the customer servers and therefore not confuse
VPN only sites that access the customer servers via the Internet.





================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.