[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] FP3 to FP3 VPN

To: [email protected]
Subject: [FW-1] FP3 to FP3 VPN
From: Vic G <[email protected]>
Date: Thu, 12 Dec 2002 22:37:29 -0500
Reply-To: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Installing VPN between 2 FP3 systems.
Setting up the VPN on box 1 - FW1.
I have its checkpoint host created, and VPN domain behind the FW.
On the same fw (FW1) I want to create the other Checkpoint FW (FW2).
There seem to be 3 ways to create this host:
Using CHECKPOINT - NEW - GATEWAY, or CHECKPOINT - NEW - HOST.

If I create Gateway, the FW2 shows up in my what I call "local" gateways, of
which when I load the FW1 rules, I can load to both Gateways (I am not
remote managing FW2). This does not look right.
Is this where I really want to create the local item of the remote
gateway???

If I pick Checkpoint Host, I cannot define internal domain, therefore cannot
setup the internal VPN on the remote site (FW2). I can only setup the
external topology, and it wont let me create the internal topology (of the
far end) as it's all greyed out.

If I pick the 3rd option "Interoperable Devices" and setup the remote
Checkpoint FW2 and I can set the internal VPN settings via topology
settings. This is what I ended up doing, but again this doesn't look right.
I would suspect this is used to connect checkpoint to maybe a 3rd party
hardware firewall, for example...

My setup looks like this:
15.x > 10.x > FW1 -> 12.x ->NET<-66.x <FW2 <-192.168.1.100

15.x is internal target vpn network
10.x is protected side of FW1 (internal)
12.x is external (to internet) side of FW1
66.x is external side of FW2
192.168.1.1 is internal IP of FW2
192.168.1.100 is a host PC that is hide NAT so it gets to internet.

FW's do exchange IKE keys sucessfully.
VPN is defined as 15.x + 10.x on FW1,  and 192.x on FW2

I can ping from 15.x to 192.168.1.100
Ping from 192.168.1.100 to 15.x times out.

My questions are:
1. Is because I'm NAT'ed on FW2 I cant ping back to 15?
2. Is this the right setup to link 2 Checkpoint FW's using FP3?

Thanks,
Vic



_________________________________________________________________
Add photos to your messages with MSN 8. Get 2 months FREE*.
http://join.msn.com/?page=features/featuredemail

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- Re: [FW-1] FP3 to FP3 VPN
  - From: Ian Gilfillan <[email protected]>

Prev by Date: [FW-1] My Hardisk is full
Next by Date: Re: [FW-1] My Hardisk is full
Prev by thread: Re: [FW-1] CCSA/CCSE Certificate ...
Next by thread: Re: [FW-1] FP3 to FP3 VPN
Index(es):
- Date
- Thread