NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] 2 internet links on 1 firewall



Correct me if I'm wrong here, but when the VPN tunnel comes out on the inside
of the firewall does it now pick up an IP address from a pool on the firewall?
 That IP is a local that is assigned by the administrator to a pool.  Your
internal network only needs to know routes to this pool of IP's just like any
other hosts or networks in your network.

When the return packets going to the secure remote route back, they go to this
IP which is the start of the VPN tunnel.  The outside interface of the
firewall then "knows" the route back to the source of the VPN services as part
of it's natural (default / gateway of last resort) routing.  When it is back
at the secure remote machine, it is un encrypted by the secure remote client.

The internal network is going to see this secure remote user (who can be any
place in cyberspace) as being on the network where the firewall interface is.
That is the only routing your internal network needs to know about.

Does this make any sense?



Martin Crabtree
Firewall Administrator
Network Services
(W)(C)------------------( Forwarded letter 1 follows )--------------------
Date:         Wed, 7 Nov 2001 07:30:11 -0800
To: [email protected]
From: Michael.Kunz[michaelkunz]@HOTMAIL.COM.inet
Sender: [email protected]
Reply-To: [email protected]
Subject: Re: [FW-1] 2 internet links on 1 firewall

Hi Yannick

I think that's bacause you can not distinguish your traffic on the
destination adress (legacy routing, as all towards Internet) you might
consider using the source adress. Therefore you need routing for the
following rules:

+ If S=y then Default_route_next_hop=Y
else Default_route_next_hop=X

This is called POLICY ROUTING.

In LINUX thats no problem: See:
http://www.samag.com/documents/s=1169/sam0001f/0001f.htm

Hmm, In Solaris, I dont know; never did this. YOu might need a package
called ipf. See: http://false.net/ipfilter/1999_01/0035.html

Hope this helps a bit; pls let me know how you solved your problem.
Michael

P.S: If you want real load balancing & have heaps of money have a look at
RAD Linkproof.

****************************http://www.netfox.ch
NETFOX GmbH
Telekommunikation & Netzwerke

Michael Kunz
Network Consultant,CCIE
mailto:[email protected]  *****************



>From: Yannick Lo Guidice <[email protected]>
>Reply-To: Mailing list for discussion of Firewall-1
><[email protected]>
>To: [email protected]
>Subject: Re: [FW-1] 2 internet links on 1 firewall
>Date: Tue, 6 Nov 2001 16:14:28 +0100
>
>Mmmm,
>
>the following scheme presents the situation :
>
>X Inet access (normal)-----------x(FW)y--------------Y Inet access (VPN)
>                            l
>                            |
>                            |
>                            |
>                           Lan
>
>So my FW has 3 interfaces : x, y & l.
>
>The source adresses are unknown, these are securemote roaming users on the
>Internet.
>The destination address is known, this is the y interface of the FW.
>The solution would have been to use source routing, but the source adresses
>are not known...
>
>Now you propose to add a static route saying that all traffic destined to y
>will be sent back to the y router. I don't know how to make that. Can you
>precise ?
>
>
>--
>Yannick Lo Guidice
>email : [email protected]
>tel : 04 9211 5967
>fax : 04 9211 5959
>Security & FW Support
>IBM Global Services NDSC France
>
>
>
>
>                     Kim Longenbaugh
>                     <[email protected]>                 To:
>[email protected]
>                     Sent by: Mailing list for discussion       cc:
>                     of Firewall-1                              Subject:
>  Re: [FW-1] 2 internet links on 1 firewall
>                     <[email protected]
>                     point.com>
>
>
>                     11/06/2001 03:35 PM
>                     Please respond to Mailing list for
>                     discussion of Firewall-1
>
>
>
>
>
>How about adding a static route on your firewall pointing traffic destined
>for x to the x router?
>
> >>> [email protected] 11/06/01 03:17AM >>>
>Hi all,
>
>I'm new to the list so I hope the question I'll pose has not been posed
>hundred times... In that case, I'll be sorry for that.
>
>As of today I have a cluster of CP FW1 under Solaris 2.6 using CP HA. I've
>got a Internet link provided by ISP x (IP addressing x). My default route
>is the Internet x access.
>
>Tomorrow I'll get a new internet link furnished by ISP y (IP addressing y).
>I want to use the new link exclusively for VPN connections. As it is easy
>for Lan-to-lan connections using static routing, it poses a problem for
>securemote users :
>the securemote users can connect to the FW using the new y IP addressing,
>but the backward route will be the default route of the FW (x Internet
>link).
>
>I'm looking for a solution to separate the different Internet streams
>(Internet access & VPN access) on the two links. Has anyone of you already
>handled this kind of situation ?
>
>Many thanks for your support.
>
>--
>Yannick Lo Guidice
>email : [email protected]
>tel : 04 9211 5967
>fax : 04 9211 5959
>Security & FW Support
>IBM Global Services NDSC France
>
>===============================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>===============================================


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.