NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Three Firewall VPN



As long as your 3rd firewall / encryption domain is fully contained within
another encryption domain (called proper subset), you can do this.
If the encryption domains partially overlap (ie some hosts are in one, but
not the other), then part of your VPN will inevitably fail, besides,
Checkpoint won't let you do this.
You'll need rules on the firewall in between to pass the encrypted packets
through without decrypting them.
So to answer your Q, this IS possible, but the encryption domains CANNOT
overlap - they can either FULLY overlap (ie both contain the same hosts), or
be FULLY ENCLOSED in another.

Tim

----- Original Message -----
From: Joe Matusiewicz <[email protected]>
To: <[email protected]>
Sent: 27 March 2001 14:22
Subject: [FW1] Three Firewall VPN


>
> Greetings,
>
> I have a working VPN between one of my Checkpoint firewalls to another
> organization's Checkpoint firewall so that my internal users can access a
> mainframe on the other end.  I have a third internal Checkpoint firewall
> and they want to know if I could run the VPN through all three firewalls.
> The setup they want looks like this:
>
> mframe<-->theirfw<-->Internet<--myfw-->mysecondfw<-->server
>
> Is this possible?  I tried looking at how to go about this but it seems
> that the encryption domains wouldn't match.  The myfw object includes the
> mysecondfw encryption domain.  Plus I'm a little confused on what to put
as
> the destination in the VPN rule.
>
> Has anyone been able to do this?
>
>
> -- Joe
>
>
>
>
============================================================================
====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
>
============================================================================
====
>


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.