See CheckPoint's NAT pools and a paper called Multiple Entry Points (MEP).
You can download it from Check Point's public support page.
----- Original Message -----
From: "The Pal / Patrik Bodin" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, April 03, 2001 2:27 PM
Subject: VPN-1 with multiple FW-1's
> Hi!
>
> I have a network with some offices around Europe. Every office has a FW-1.
> Between the FW-1's there'a a full mesh network of VPN tunnels over the
Internet.
> Every office has it's own subnet, and all Internet traffic goes through
the
> local FW-1. Every FW-1 is the VPN server for it's own eomplyees.
>
> After authentication VPN-1 decrypts the encrypted packet from the client
and
> transmits it onto the internal network, keeping it's original source
address.
> When the destination machine sends the reply, VPN-1 encrypts it and sends
it to
> the client. The source and destination addresses are the same on both
sides of
> the decryption/encryption. This requires that the reply goes out through
the
> same FW-1 as the original packet came in through.
>
> This is not a problem as long as a Stockholm employee connected to the
Stockholm
> VPN-1 is accessing machines in the Stockholm network, but when he tries to
> access a machine in the London network, the destination machine sends it's
reply
> through the London FW-1, which doesn't recognize the packet as belonging
to the
> VPN session. Therefor it's never encapsulated and encrypted, and the
client
> drops it.
>
> What is the solution for this? Is it possible to make a rule that
masquerades
> the address of the VPN client using the internal address of FW-1, making
the
> London machine sending the reply to the Stockholm FW-1? Wouldn't this
approach
> cause problems if the client machine tried to access some public resources
on
> the DMZ at the same time as it's connected through the VPN session? Will
FW-1
> masquerade these packets as well? If so, is it a problem?
>
> One idea is to masquerade the whole freaking Internet to the internal
address of
> the FW-1... fun idea, but every cell in my brain screams "Nooo!". ;)
>
> Any ideas?
>
> /P
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
