Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Site to Site VPN Question

To: [email protected]
Subject: Re: [FW-1] Site to Site VPN Question
From: Russell Washington <[email protected]>
Date: Mon, 29 Apr 2002 07:37:14 -0700
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

You shouldn't have to renumber your network or anything that drastic.  I
have a client who has this situation occur frequently; in such cases, we use
NAT rules on the Checkpoint to translate our internal addresses to something
else when talking to the hosts on the other side.  You should be able to set
up something similar.

Basically, in the addressing policy, we're talking about a rule that looks
something like the following if the access you need is strictly him --> you:

Rule 1:

Original Packet:
His IP or net (src) --> Fake host IP for your internal box that doesn't
conflict w/his net (dest) --> Any (svc)

Translated Packet:
Original (src) --> Actual IP of your internal host (dest) --> Any (svc)

Rule 2:
Original Packet:
Actual IP of your internal host (src) -->  His IP or net (dest) --> Any
(svc)

Translated Packet:
Fake host IP for your internal box that doesn't conflict w/his net -->
Original (dest) --> Any (svc)

You should have one pair of NAT rules for any internal host that your vendor
needs to touch.

Hope this helps.

 -----Original Message-----
From: Kevin Buckley [mailto:[email protected]]
Sent: Sunday, April 28, 2002 8:04 AM
To: [email protected]
Subject: [FW-1] Site to Site VPN Question


I need to set up a VPN site to site with a vendor. I gave the vendor my
encryption domain and he said he already had that IP scheme used by a
different client.

I setup a test network with an IP scheme he didn't have being used by anyone
else and we can get everything to work great.  The problem is I need to be
able to set it up using the IP scheme used through out or company. Any
ideas?????

I am running checkpoint NG FP1
I have all my internal networks configured for hide NAT behind an IP
different than the external IP of the firewall.

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- Re: [FW-1] Site to Site VPN Question
  - From: Kevin Buckley <[email protected]>

Prev by Date: Re: [FW-1] add_ca_cert_hash: failed corrupt internal_ca object
Next by Date: Re: [FW-1] add_ca_cert_hash: failed corrupt internal_ca object
Previous by thread: Re: [FW-1] Site to Site VPN Question
Next by thread: Re: [FW-1] Site to Site VPN Question
Index(es):
- Date
- Thread