Shane, Better to use manual NAT rules for natting with VPNs. And yes, NAT rules are processed before implied and explicit rules.
Neil Delacruz On 2/15/06, MikeCC <[EMAIL PROTECTED]> wrote: > > Hello, > > I just went through this. > > You define the encryption properties at the Community level - I used > Meshed communities. You'll notice there's no option there to set the > timeouts based on number of KB's but Checkpoint will ignore any sent by > Cisco. > > You define the externally managed Cisco as an "Interoperable Device" and > assign it an encryption domain. You'll need to know what hosts or networks > they need to use. > > In regards to NAT. In the "VPN Advanced" settings you see a checkbox for > "Disable NAT in the VPN Community" leave this unchecked if you want to > translate your internal Addresses for the VPN connection. > > Also, under "Tunnel Management" select the "Tunnel per host pair" option > (that wording may be slightly different). > > "The strength of the Constitution lies entirely in the determination of > each citizen to defend it. Only if every single citizen feels duty bound to > do his share in this defense are the constitutional rights secure." - Albert > Einstein > > ----- Original Message ---- > From: Shane Presley <[EMAIL PROTECTED]> > To: [email protected] > Sent: Wednesday, February 15, 2006 12:53:50 PM > Subject: [FW-1] NGX VPNs > > Hi Folks, > > I need to create a VPN between our CheckPoint firewall and an > externally managed Cisco router. > > Our current infrastructure is NGX management console and NG AI firewall. > > I remember back in the early NG days, there was an Action called > encrypt, where you would specify the peer and encryption properties > per rule. > > That now seems to be done using communities? How would I setup the > object for this external router, and define it's encryption realm? > > Also on my end, we want to NAT the traffic before we send it through > the tunnel. Is that just a regular NAT rule, and the firewall knows > to do the NAT first, before it creates the VPN? > > Thanks > Shane > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > > > > > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
