[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] 2 internet links on 1 firewall

To: [email protected]
Subject: Re: [FW-1] 2 internet links on 1 firewall
From: Michael Kunz <[email protected]>
Date: Wed, 7 Nov 2001 07:30:11 -0800
Reply-To: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Hi Yannick

I think that's bacause you can not distinguish your traffic on the
destination adress (legacy routing, as all towards Internet) you might
consider using the source adress. Therefore you need routing for the
following rules:

+ If S=y then Default_route_next_hop=Y
else Default_route_next_hop=X

This is called POLICY ROUTING.

In LINUX thats no problem: See:
http://www.samag.com/documents/s=1169/sam0001f/0001f.htm

Hmm, In Solaris, I dont know; never did this. YOu might need a package
called ipf. See: http://false.net/ipfilter/1999_01/0035.html

Hope this helps a bit; pls let me know how you solved your problem.
Michael

P.S: If you want real load balancing & have heaps of money have a look at
RAD Linkproof.

****************************http://www.netfox.ch
NETFOX GmbH
Telekommunikation & Netzwerke

Michael Kunz
Network Consultant,CCIE
mailto:[email protected]  *****************



>From: Yannick Lo Guidice <[email protected]>
>Reply-To: Mailing list for discussion of Firewall-1
><[email protected]>
>To: [email protected]
>Subject: Re: [FW-1] 2 internet links on 1 firewall
>Date: Tue, 6 Nov 2001 16:14:28 +0100
>
>Mmmm,
>
>the following scheme presents the situation :
>
>X Inet access (normal)-----------x(FW)y--------------Y Inet access (VPN)
>                            l
>                            |
>                            |
>                            |
>                           Lan
>
>So my FW has 3 interfaces : x, y & l.
>
>The source adresses are unknown, these are securemote roaming users on the
>Internet.
>The destination address is known, this is the y interface of the FW.
>The solution would have been to use source routing, but the source adresses
>are not known...
>
>Now you propose to add a static route saying that all traffic destined to y
>will be sent back to the y router. I don't know how to make that. Can you
>precise ?
>
>
>--
>Yannick Lo Guidice
>email : [email protected]
>tel : 04 9211 5967
>fax : 04 9211 5959
>Security & FW Support
>IBM Global Services NDSC France
>
>
>
>
>                     Kim Longenbaugh
>                     <[email protected]>                 To:
>[email protected]
>                     Sent by: Mailing list for discussion       cc:
>                     of Firewall-1                              Subject:
>  Re: [FW-1] 2 internet links on 1 firewall
>                     <[email protected]
>                     point.com>
>
>
>                     11/06/2001 03:35 PM
>                     Please respond to Mailing list for
>                     discussion of Firewall-1
>
>
>
>
>
>How about adding a static route on your firewall pointing traffic destined
>for x to the x router?
>
> >>> [email protected] 11/06/01 03:17AM >>>
>Hi all,
>
>I'm new to the list so I hope the question I'll pose has not been posed
>hundred times... In that case, I'll be sorry for that.
>
>As of today I have a cluster of CP FW1 under Solaris 2.6 using CP HA. I've
>got a Internet link provided by ISP x (IP addressing x). My default route
>is the Internet x access.
>
>Tomorrow I'll get a new internet link furnished by ISP y (IP addressing y).
>I want to use the new link exclusively for VPN connections. As it is easy
>for Lan-to-lan connections using static routing, it poses a problem for
>securemote users :
>the securemote users can connect to the FW using the new y IP addressing,
>but the backward route will be the default route of the FW (x Internet
>link).
>
>I'm looking for a solution to separate the different Internet streams
>(Internet access & VPN access) on the two links. Has anyone of you already
>handled this kind of situation ?
>
>Many thanks for your support.
>
>--
>Yannick Lo Guidice
>email : [email protected]
>tel : 04 9211 5967
>fax : 04 9211 5959
>Security & FW Support
>IBM Global Services NDSC France
>
>===============================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>===============================================


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

Prev by Date: [FW-1]
Next by Date: [FW-1] Pix - firewall keeps going up and down....loses
Prev by thread: Re: [FW-1] 2 internet links on 1 firewall
Next by thread: Re: [FW-1] 2 internet links on 1 firewall
Index(es):
- Date
- Thread