[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] VPN in front of NATed subnets to VPN in from of other NATed subnets
Hello, I did not search a lot on this, but before starting to search and work on it, i want to know if it is possible. I don't want to loose my time on an impossible task... I want to use many IKE VPN with preshared secret using 3DES encription between a main site and many remote sites. Some networks are relatively complex. The networks are like: One main site, call it Site-A with many 172.16.0 to 172.31.255 /16 to /30 subnets on four interface of a VPN-1 firewall with a valid IP address on the external interface of it. Many remote sites, call them Site-B to Site-Z with a mix of 192.168.0.0, 10.0.0.0 and/or 172.16.0.0 to 172.31.255.0 /16 to /30 subnets on one to three interface of a VPN-1 firewall with a valid IP adress on the external interface. I want to have one VPN by remote site with Site-A. I want to hide all those remotes sites with a mix of hide and static NAT behing 10.1.1.0 /24 for Site-A, 10.1.2.0 /24 for site B and so on. I want to hide site-A with a mix of hide and static NAT behing a valid class C IP network. It is possible we have the same unNATed IP address in more than one site. It is possible than some remotes use 10.1.?.0 (the range used for NAT) in there unNATed IP address. I want to have rules on all FW based on NATed address to control the allowed encrypted traffic between the main and remote sites, and naturally I want to rejet all unencrypted traffic. If i need i can hide remotes sites behing a range of private address other than 10.1.?.0 /24 if those are used in the particular remote site but i would really prefer to be able to use 10.1.?.0 /24 if possible. That's not a problem for the address used for NAT at the main site since we will hide it behing public IP address. My question: Is it possible to do it with those VPN-1 in place, assuming i have all the required licences ? If it's YES i will start to work on it but if it's NO i have to return to the drawing table... Thank's for the info. ------------------------------------------------------------ Yves Belle-Isle V.P. VE2YBI YB17 Email: [email protected] Responsable des Systemes Tel:Sogi Informatique Ltee. Fax:------------------------------------------------------------ =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|