Hello,
I am hoping someone on the list can help me out
with a question I have regarding encryption domains and VPNs.
Currently I have a pretty standard configuration in
that I have two checkpoint firewalls (v4.0) at different sites, and a VPN
between them. Each firewall object has as its encryption domain the
internal network behind that firewall (really a group of internal
networks). Then there are the policy rules defined between the two
encryption domains. Everything works fine and dandy.
Both firewalls allow some incoming access from the
outside to hosts on their internal networks (say for smtp and https servers),
and those objects have valid external NAT addresses defined for them. This
all works well and good also.
Let's call these two firewalls Firewall A and
Firewall B.
Now for reasons not worth explaining, there is a
host on the internal network behind Firewall B that I want to allow traffic from
the outside for BUT I want to receive that incoming traffic at firewall A, and
NAT for it there.
Kind of looks like this:
outside client ---> FwA ---------via vpn--------
FwB -----> inside server
The valid external address for this server, is an
external address valid at Firewall A's external network.
Right now my policy rules allow:
SRC:
FwA-encryption-domain DEST: FwB-encryption-domain
ACTION:Encrypt
The outside client could be any external
address. How can I change the encryption domain of FirewallA to be
"anything" and not just what it is now (which is the internal
network).
Is this possible?? Am I approaching this
correctly, or is there another method to accomplish what I am trying to
do?
I am running my firewalls on Solaris, by the
way.
Any information would be GREATLY
appreciated.
Thank you.
Elaine
|