[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] encryption domain for external networks?
This sounds quite a bit like setting up multiple entry points for SecuRemote users. This may or may not work but I would set-up your NAT rule on fw-a and add static routes on the host to reply back through fw-a or whatever router is behind it. This is just a guess though. I'd be curious to hear if you solve this in some way. Chris -----Original Message----- From: Elaine Lolos To: [email protected] Sent: 5/17/01 7:18 PM Subject: [FW1] encryption domain for external networks? Hello, I am hoping someone on the list can help me out with a question I have regarding encryption domains and VPNs. Currently I have a pretty standard configuration in that I have two checkpoint firewalls (v4.0) at different sites, and a VPN between them. Each firewall object has as its encryption domain the internal network behind that firewall (really a group of internal networks). Then there are the policy rules defined between the two encryption domains. Everything works fine and dandy. Both firewalls allow some incoming access from the outside to hosts on their internal networks (say for smtp and https servers), and those objects have valid external NAT addresses defined for them. This all works well and good also. Let's call these two firewalls Firewall A and Firewall B. Now for reasons not worth explaining, there is a host on the internal network behind Firewall B that I want to allow traffic from the outside for BUT I want to receive that incoming traffic at firewall A, and NAT for it there. Kind of looks like this: outside client ---> FwA ---------via vpn-------- FwB -----> inside server The valid external address for this server, is an external address valid at Firewall A's external network. Right now my policy rules allow: SRC: FwA-encryption-domain DEST: FwB-encryption-domain ACTION:Encrypt The outside client could be any external address. How can I change the encryption domain of FirewallA to be "anything" and not just what it is now (which is the internal network). Is this possible?? Am I approaching this correctly, or is there another method to accomplish what I am trying to do? I am running my firewalls on Solaris, by the way. Any information would be GREATLY appreciated. Thank you. Elaine ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|