Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] VPN in front of NATed subnets to VPN in from of other NATed subnets

To: [email protected]
Subject: [FW-1] VPN in front of NATed subnets to VPN in from of other NATed subnets
From: Yves Belle-Isle <[email protected]>
Date: Wed, 7 Nov 2001 11:11:38 -0500
In-reply-to: <002201c1679f$b14143f0$6ac8a8c0@tuncay>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Hello,

I did not search a lot on this, but before starting to search
and work on it, i want to know if it is possible. I don't want
to loose my time on an impossible task...

I want to use many IKE VPN with preshared secret using 3DES encription
between a main site and many remote sites. Some networks are relatively
complex.

The networks are like:

   One main site, call it Site-A with many 172.16.0 to 172.31.255 /16 to /30
   subnets on four interface of a VPN-1 firewall with a valid IP address on
   the external interface of it.

   Many remote sites, call them Site-B to Site-Z with a mix of 192.168.0.0,
   10.0.0.0 and/or 172.16.0.0 to 172.31.255.0 /16 to /30 subnets on one to
   three interface of a VPN-1 firewall with a valid IP adress on the external
   interface.

   I want to have one VPN by remote site with Site-A. I want to hide all those
   remotes sites with a mix of hide and static NAT behing 10.1.1.0 /24 for
   Site-A, 10.1.2.0 /24 for site B and so on. I want to hide site-A with a
   mix of hide and static NAT behing a valid class C IP network.

   It is possible we have the same unNATed IP address in more than one site.
   It is possible than some remotes use 10.1.?.0 (the range used for NAT)
   in there unNATed IP address.

   I want to have rules on all FW based on NATed address to control
   the allowed encrypted traffic between the main and remote sites,
   and naturally I want to rejet all unencrypted traffic.

   If i need i can hide remotes sites behing a range of private address other
   than 10.1.?.0 /24 if those are used in the particular remote site but i
   would really prefer to be able to use 10.1.?.0 /24 if possible. That's not
   a problem for the address used for NAT at the main site since we will hide
   it behing public IP address.

My question:

   Is it possible to do it with those VPN-1 in place, assuming i have
   all the required licences ? If it's YES i will start to work on it
   but if it's NO i have to return to the drawing table...

Thank's for the info.



------------------------------------------------------------
Yves Belle-Isle V.P. VE2YBI YB17        Email: [email protected]
Responsable des Systemes                Tel:Sogi Informatique Ltee.                 Fax:------------------------------------------------------------

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

References:
- [FW-1]
  - From: "Tuncay Engin (Tamek)" <[email protected]>

Prev by Date: [FW-1] IPSO upgrade on older Nokia models
Next by Date: Re: [FW-1]
Previous by thread: [FW-1]
Next by thread: Re: [FW-1]
Index(es):
- Date
- Thread