[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Site to Site VPN Question
I'm looking at a one way VPN with all traffic being generated from me. So in my current setup I have all my internal networks Hide NAT to an IP(public)that is different than checkpoint external nic's ip. This IP(NAT) would than be considered my encryption domain with my vendor instead of my internal network ip scheme being used(the one in conflict with another client of the vendors)????? On my fw in the global properties for NAT I have checked: Automatic rules intersection Automatic ARP configuration Not checked: Perform destination translation on the client side So would I have to still add manual NAT rules since the automatic option is chosen???? Example of my IP's My external interface FW: 206.289.2.20 Hide NAT for internal network: 206.289.2.25 My internal network: 172.16.x.x (Vendor has another client configured for this encryption domain) Vendor's IP's Network I will be connecting to: 197.188.64.x FW external IP: 165.69.54.88 Thanks for the help Kevin -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]] On Behalf Of Russell Washington Sent: Monday, April 29, 2002 10:37 AM To: [email protected] Subject: Re: [FW-1] Site to Site VPN Question You shouldn't have to renumber your network or anything that drastic. I have a client who has this situation occur frequently; in such cases, we use NAT rules on the Checkpoint to translate our internal addresses to something else when talking to the hosts on the other side. You should be able to set up something similar. Basically, in the addressing policy, we're talking about a rule that looks something like the following if the access you need is strictly him --> you: Rule 1: Original Packet: His IP or net (src) --> Fake host IP for your internal box that doesn't conflict w/his net (dest) --> Any (svc) Translated Packet: Original (src) --> Actual IP of your internal host (dest) --> Any (svc) Rule 2: Original Packet: Actual IP of your internal host (src) --> His IP or net (dest) --> Any (svc) Translated Packet: Fake host IP for your internal box that doesn't conflict w/his net --> Original (dest) --> Any (svc) You should have one pair of NAT rules for any internal host that your vendor needs to touch. Hope this helps. -----Original Message----- From: Kevin Buckley [mailto:[email protected]] Sent: Sunday, April 28, 2002 8:04 AM To: [email protected] Subject: [FW-1] Site to Site VPN Question I need to set up a VPN site to site with a vendor. I gave the vendor my encryption domain and he said he already had that IP scheme used by a different client. I setup a test network with an IP scheme he didn't have being used by anyone else and we can get everything to work great. The problem is I need to be able to set it up using the IP scheme used through out or company. Any ideas????? I am running checkpoint NG FP1 I have all my internal networks configured for hide NAT behind an IP different than the external IP of the firewall. ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|