[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] internal network/NAT (eventually VPN)

To: [email protected]
Subject: Re: [FW-1] internal network/NAT (eventually VPN)
From: Vic G <[email protected]>
Date: Thu, 31 Oct 2002 06:06:52 -0500
Reply-To: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>
I'll have to do more research, then. I assumed that once I got the
clients/hosts "talking" all's I'd need to do for VPN/Encryption was click
'encrypt' on the Action Rule button on the rulebase.

I have an appliance FW coming so I can create a VPN between my home cable
modem system & my work environment, so I can get up to speed on this. With
this, I should be able to simuate my active work situation.

Thanks,
Vic

>Todd is quite correct.  Any server that you want your people to be able to
>access from the Internet (which is effectively what you are doing without a
>VPN)must have a static IP address.  The client on the other end behind the
>firewall will work from behind a hide NAT'd ip address but any host you
>want
>available as a server on either end MUST have a static NAT.
>
>With a VPN this would not be the case as the VPN forms a virtual and
>routable network segment between the two networks, effectively acting as a
>subnet joining the two networks together.
>
>Also, allowing inbound access to your LAN without a VPN is a very bad idea
>from a security point of view, so I suggest you push forward your
>"eventual"
>VPN if you want to do this.
>
>Damo
>
>
>
> > This doesn't make sense. I can't be the only one on the planet with this
> > problem:
> > Example: I have 100 employees with PC's in New York. I have 5 servers
>also
> > at that location. There are dedicated links to multiple sites (router
> > connected) for each of those NY locations:
> > Site NY-A: 15.15.x.x mask 255.255.0.0, has FW'd access to 'net.
> > Site NY-B: 15.20.x.x mask 255.255.0.0
> > Site NY-C: 15.30.x.x mask 255.255.0.0
> > Site NY-D: 15.40.x.x mask 255.255.0.0
> >
> > Site LA-A: 15.5.x.x mask 255.255.0.0 has FW'd access to 'net.
> >
> > I have 100 employees with PC's in Los Angeles. 5 servers there, too.
> > I need all 200 employees to access the other's location's servers
> > (eventually with VPN) across the internet, firewall protected.
> > From #2 below, each "host" (employee PC?) would need static NAT'd
> > one-for-one exteral IP address?
> > I think I can handle the routing issues (I think...) but this whole
> > "hide"/NAT thing is very confusing.
> >
> > Thanks,
> > Vic
> > -----------
> > >1. If you want your hosts behind the firewall to be accessible via the
> > >internet, you cannot use hide nat.  There are three options for having
>your
> > >hosts accessible via the net: static nat, no NAT at all (which I don't
> > >think is what you want), or PAT.
> > >
> > >2. Every host that you want accessible via the internet needs to have a
> > >publicly routeable ip address associated (ie statically nat'ed) with it
>-
> > >in your case a 12.x.x.x address makes the most sense - again this
> > >association is one to one.
> > >
> > >3. The firewall will nat the 12.x address to the appropriate 15.x
>address
> > >and routing can take care of the rest.  However, since the 15.x network
>is
> > >not directly connected to the firewall, the firewall needs to know how
>to
> > >get there, so a static route is needed on the firewall pointing the
>15.x
>to
> > >the 10.x router between the 10.x and 15.x networks.
> > >
> > >4. The default route on hosts on the 15.x network should be the 15.x
> > >router.  That router then needs to know what to do with packets
>destined
> > >for the internet, so should therefore point to the firewall.
> > >
> > >If I understand your situation correctly, the above should get you
>there.
> > >
> > >Also, if anyone cares to correct the above, have at it.
> > >
> > >todd
> > >
> > >
> > >----- Original Message -----
> > >From: Vic G
> > >Sent: Wednesday, October 30, 2002 3:42 PM
> > >To: [email protected]
> > >Subject: Re: [FW-1] internal network/NAT (eventually VPN)
> > >
> > >More info:
> > >1. FW NG SP1 is running on Win2k.
> > >
> > >2. I added a route statement at FW to route all 15.x traffic to
>10.x.x.x
> > >router. Do I really need to do that? (when the NAT unwraps, does it
>unwrap
> > >as 10.x.x.x or 15.x.x.x)?
> > >
> > >3. I found that I can add a new "network" of 15.0.0.0 and NAT that to
> > >"hide"
> > >behind real external IP address of (12.x.x.x). Is this on the right
>path
>to
> > >getting my "very internal" hosts to be accessable via the 'net?
> > >Currently my "internalnet" as defined in FQ-1 is only 10.x.x.x since
>that's
> > >all that is there (my DMZ servers).
> > >
> > >4. After all this, I set a client PC on the 15.x network, and added
>route
> > >statements to send traffic destined to 10.x network to the 15.x router.
>The
> > >default gateway on this PC is my FW, 10.10.10.1
> > >This does NOT work. I can ping my DMZ hosts on the 10.x (so I know
>packets
> > >are getting to the 10 side) but there is no log info on the FW when I
>ping
> > >it, try to use nslookup, or browse the 'net from this PC.
> > >
> > >Any ideas?
> > >Vic
> > >
> > >
> > >
> > >
> > >
> > >
> > > >
> > > >arp your router on an External ip on the firewall (dont forget to
>route
> > >to
> > > >it)
> > > >accept with a rule the traffic you are interested for.
> > > >
> > > >Pete
> > > >
> > > >
> > > >-----Original Message-----
> > > >From: Vic G [mailto:[email protected]]
> > > >Sent: Wednesday, October 30, 2002 10:56 AM
> > > >To: [email protected]
> > > >Subject: [FW-1] internal network/NAT (eventually VPN)
> > > >
> > > >
> > > >I'm attempting to set this up, here is my config (be kind..)
> > > >
> > > >Very int              IntDMZ        FW       External
> > > >15.x.x.x    Router  10.10.10.x     10-12     12.x.x.x
> > > >
> > > >
> > > >There is a router between "very internal", (which also has other
>routers
> > >to
> > > >more internal nets...)
> > > >I need a client on the outside(internet) to be able to get to an very
> > > >internal host station (eventually VPN to a similar setup on other
>side).
> > >I
> > > >have on my INT DMZ some hosts (Static Nat'd to the external address)
>and
> > > >that works OK. The Router is static NAT'd as a workstation, with NAT
> > > >enabled. (one IP is 10.x.x.x, other is 15.x.x.x)I've tried HIDE and
> > >STATIC
> > > >(not sure what it should be...)
> > > >The Internet router has static route statments to force the external
> > > >address
> > > >to the FW. How does someone on the Internet address (what could be)
>many
> > > >internal addresses on the inside networks?
> > > >
> > > >All the examples I see are only 1 level deep (ie the 10.x.x.x is
> > > >hide/natted
> > > >to the outside). I need to get 1 more level in.
> > > >
> > > >What am I missing here?
> > > >Vic
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >_________________________________________________________________
> > > >Unlimited Internet access -- and 2 months free!  Try MSN.
> > > >http://resourcecenter.msn.com/access/plans/2monthsfree.asp
> > > >
> > > >=================================================
> > > >To set vacation, Out Of Office, or away messages,
> > > >send an email to [email protected]
> > > >in the BODY of the email add:
> > > >set fw-1-mailinglist nomail
> > > >=================================================
> > > >To unsubscribe from this mailing list,
> > > >please see the instructions at
> > > >http://www.checkpoint.com/services/mailing.html
> > > >=================================================
> > > >If you have any questions on how to change your
> > > >subscription options, email
> > > >[email protected]
> > > >=================================================
> > > >
> > > >=================================================
> > > >To set vacation, Out Of Office, or away messages,
> > > >send an email to [email protected]
> > > >in the BODY of the email add:
> > > >set fw-1-mailinglist nomail
> > > >=================================================
> > > >To unsubscribe from this mailing list,
> > > >please see the instructions at
> > > >http://www.checkpoint.com/services/mailing.html
> > > >=================================================
> > > >If you have any questions on how to change your
> > > >subscription options, email
> > > >[email protected]
> > > >=================================================
> > >
> > >
> > >_________________________________________________________________
> > >Unlimited Internet access for only $21.95/month.  Try MSN!
> > >http://resourcecenter.msn.com/access/plans/2monthsfree.asp
> > >
> > >=================================================
> > >To set vacation, Out Of Office, or away messages,
> > >send an email to [email protected]
> > >in the BODY of the email add:
> > >set fw-1-mailinglist nomail
> > >=================================================
> > >To unsubscribe from this mailing list,
> > >please see the instructions at
> > >http://www.checkpoint.com/services/mailing.html
> > >=================================================
> > >If you have any questions on how to change your
> > >subscription options, email
> > >[email protected]
> > >=================================================Get more from the Web.
> > >FREE MSN Explorer download : http://explorer.msn.com
> >
> >
> > _________________________________________________________________
> > Get faster connections -- switch to MSN Internet Access!
> > http://resourcecenter.msn.com/access/plans/default.asp
> >
> > =================================================
> > To set vacation, Out Of Office, or away messages,
> > send an email to [email protected]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > [email protected]
> > =================================================
> >
> >
>
>=================================================
>To set vacation, Out Of Office, or away messages,
>send an email to [email protected]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[email protected]
>=================================================


_________________________________________________________________
Get a speedy connection with MSN Broadband.  Join now!
http://resourcecenter.msn.com/access/plans/freeactivation.asp

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
Prev by Date: Re: [FW-1] Secureplatform - licensing and security
Next by Date: Re: [FW-1] internal network/NAT (eventually VPN)
Prev by thread: Re: [FW-1] internal network/NAT (eventually VPN)
Next by thread: Re: [FW-1] internal network/NAT (eventually VPN)
Index(es):
- Date
- Thread