NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Cisco IP-in-IP tunnel via FW-1 IKE site-2-site VPN?



Steve,

I run Cisco GRE tunnels between my Cisco routers
accross Checkpoint VPN, works fine.  Most of my sites
have both Internet and WAN connections, so I use the
tunnels for failover when the WAN goes down.
Checkpoint just sees the traffic as IP protocol 47
traffic between the sites and doesn't look at the the
actual destination of the packets running thought the
tunnel, so you don't have to set up objects for all
your other sites.

The upside is that this, works and you can run routing
protocols like eigrp between your sites, and non IP
protocols like IPX, etc.  The down side is that any
site to site security rules you have set up on your
firewalls get totally bypassed.

HTH,
Pete Goodridge

--- Steve Loughran <[email protected]> wrote:
> Hi all
>
> Its been a while since I have posted here, but I
> have a question that I
> would like to ask, so I can get response before I go
> too far down this
> particular road.
>
> Platform: Solaris FW-1 3DES v4.1 + updates
>
> I looks after a small cluster of subnets that are
> part of a larger (and very
> disjointed) WAN. I have three FW-1 units, one at
> each site. One of the sites
> (site-A) has a local area connection to an Internal
> WAN that in turn
> connects to the rest of the larger WAN, the other
> two sites (site-B and
> site-C) are standalone sites. Trying to set up VPN
> encryption domains on the
> site-A firewall to tell the other two firewalls that
> traffic should send
> traffic through it for the larger WAN is nearly
> impossible (mostly due to
> the fact that you cant use network ranges in
> encryption domains... bah!).
>
> To manually create network objects for all the other
> WAN subnets would be
> vastly time consuming, and a nightmare to configure
> and administor, so I was
> was wondering if I could just do the three site VPN
> encryption stuff, and
> run some Cisco Tunnelling at each site for the other
> subnets that are not
> under my control.
>
> So, my question is this: Are there any inherent
> problems running Cisco
> Tunnels for IP only traffic via a FW-1 IKE VPN
> tunnel?
>
> As always, your thoughts, feedback and help is
> greatly appreciated.
>
> --
>
> Steve
>
> -------------------------------------------------
> Steve Loughran, Network Infrastructure Manager
> Sony Computer Entertainment Europe (Cambridge)
> Yamaha YZF1000R Thunderace
> ICQ#: 12666311 (Work), 104426046 (Laptop)
> Team Waste - Where do you want to go wrong today?
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================

__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.