For them (with a source address of 172.20.x.x) to be able to access anything
on your LAN, they have to be routable on your LAN. If the defaut route on
your LAN points back to the FW-1 internal interface, that's all that's
needed.
However, if you are using precisely the same subnets as they are, yes, then
it will cause a problem and it will not work.
Ray
From: Peter Addy <[EMAIL PROTECTED]>
Reply-To: Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
Subject: Re: [FW-1] Site 2 site VPN
Date: Sun, 11 Jun 2006 14:21:11 -0700
Hi Ray
Many thanks, one point i should have mentioned is that the 172.x.x.x
address the customer is using is not routable over our lan, as i'm sure we
have also these 172.x.x.x addresses used, would this cause a problem?
thanks again
Ray <[EMAIL PROTECTED]> wrote:
Hi Peter,
Their encryption domain must be set up using the 172.20 address block. You
only use the 80.x address to establish the VPN. After the VPN is up, that
address does not exist as far as the site-to-site VPN traffic is concerned.
You usually do not want any kind of NAT going on in the VPN tunnel itself.
You just need to make sure that their internal IP range is different than
yours and that your default internal network route ends up at the internal
interface of FW-1. If you do a "tracert 172.20.whatever" from your computer
and it ends up at FW-1, you should be OK. You may need to check all of your
subnets to assure their default route is the same.
FW-1 will take care of the routing for you.
HTH,
Ray
>From: Peter Addy
>Reply-To: Mailing list for discussion of Firewall-1
>
>To: [email protected]
>Subject: [FW-1] Site 2 site VPN
>Date: Sat, 10 Jun 2006 02:46:06 -0700
>
>Hi
>
> Can someone please tell me if i was was to setup a vpn between an
>external site and our Checkpoint NG AI and the exteranl site was using an
>internal address range of 172.20..x.x, and their firewall gateway was
>80.x.x.x., could i use the gateway 80.x.x.x address for the encryption
>doamin for the external site? therefoe same IP for gateway and topoloy.
>Would this work? would i need any nat rules ?
>
> Or does if specifically need to be an address that is routable?
>
> Hoping to do this using the simpified mode
>
> Thanks for your help guys
>
> __________________________________________________
>Do You Yahoo!?
>Tired of spam? Yahoo! Mail has the best spam protection around
>http://mail.yahoo.com
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to [EMAIL PROTECTED]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[EMAIL PROTECTED]
>=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
