Re: [FW-1] Site 2 site VPN

[Ray]

  I work for a Manage Service Provider and our mantra is "customers are 
always right".
  Therefore, sometimes we have to do things to please customers even 
though they
  may not be the best solution.

Yeah, we're not an MSP but we have the same philosophy. We just get to say 
"no" a bit more often than you. :-)

What happens with Citrix?

Ray

From: cisco4ng <[EMAIL PROTECTED]>
Reply-To: Mailing list for discussion of Firewall-1              
<FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM>
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] Site 2 site VPN
Date: Mon, 12 Jun 2006 16:47:04 -0700

Ray,
  I agree with you that even my approach will work but it is a pain in the 
ass to manage.
  Furthermore, if customer uses some crazy apps, citrix that comes to 
mind, do not
  expect things to work smoothly.  This approach should be used only as a 
last resort.

  I work for a Manage Service Provider and our mantra is "customers are 
always right".
  Therefore, sometimes we have to do things to please customers even 
though they
  may not be the best solution.

  The best solution is NOT to NAT anything.  Apps will work better that 
way.

  cisco4ng

Ray <[EMAIL PROTECTED]> wrote:
  Yes, that approach does work however it has very limited use in the real
workld unless you're only accessing a few devices and you and your users 
are
willing to use only IP addresses to connect. We've never found that to be
good for us (a non-computer company).

If you need real name resolution because people tell you to connect to a 
DNS
name or a UNC share, the only way to do it is if you set up a fake DNS or
WINS server and populate it with static entries so that their system's name
will resove to what you're translating the IP address to. If the other side
changes anything on a regular basis, this gets unworkable rather quickly.

Ray

>From: cisco4ng
>To: Mailing list for discussion of Firewall-1
>
>CC: [EMAIL PROTECTED]
>Subject: Re: [FW-1] Site 2 site VPN
>Date: Mon, 12 Jun 2006 03:22:56 -0700 (PDT)
>
>The solution to this is very simple.
>
> If the other side is also using 172.x.x.x and you also use 172.x.x.x as
>well.
> What you want to do is natted your side to 192.x.x.x and put both
>172.x.x.x
> and 192.x.x.x into your local encryption domain. Your remote encryption
> domain will be 10.x.x.x because that will be the IPs you tell the other
>side
> to use. The reverse is true on the other side.
>
> Once you've done that, go to the main Address translation tab of the
>security policy
> and manipulate as follow on your side:
>
> source dest service trans source trans
>dest trans service
> 172.x 10.x any 192.x
>original original
> 10.x 192.x any original
>172.x original
>
> Does that help?
>
> cisco4ng
>
>
>Ray wrote:
> For them (with a source address of 172.20.x.x) to be able to access
>anything
>on your LAN, they have to be routable on your LAN. If the defaut route on
>your LAN points back to the FW-1 internal interface, that's all that's
>needed.
>
>However, if you are using precisely the same subnets as they are, yes, 
then
>it will cause a problem and it will not work.
>
>Ray
>
> >From: Peter Addy
> >Reply-To: Mailing list for discussion of Firewall-1
> >
> >To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
> >Subject: Re: [FW-1] Site 2 site VPN
> >Date: Sun, 11 Jun 2006 14:21:11 -0700
> >
> >Hi Ray
> >
> > Many thanks, one point i should have mentioned is that the 172.x.x.x
> >address the customer is using is not routable over our lan, as i'm sure
>we
> >have also these 172.x.x.x addresses used, would this cause a problem?
> >
> > thanks again
> >
> >Ray wrote:
> > Hi Peter,
> >
> >Their encryption domain must be set up using the 172.20 address block.
>You
> >only use the 80.x address to establish the VPN. After the VPN is up, 
that
> >address does not exist as far as the site-to-site VPN traffic is
>concerned.
> >
> >You usually do not want any kind of NAT going on in the VPN tunnel
>itself.
> >You just need to make sure that their internal IP range is different 
than
> >yours and that your default internal network route ends up at the
>internal
> >interface of FW-1. If you do a "tracert 172.20.whatever" from your
>computer
> >and it ends up at FW-1, you should be OK. You may need to check all of
>your
> >subnets to assure their default route is the same.
> >
> >FW-1 will take care of the routing for you.
> >
> >HTH,
> >
> >Ray
> >
> >
> > >From: Peter Addy
> > >Reply-To: Mailing list for discussion of Firewall-1
> > >
> > >To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
> > >Subject: [FW-1] Site 2 site VPN
> > >Date: Sat, 10 Jun 2006 02:46:06 -0700
> > >
> > >Hi
> > >
> > > Can someone please tell me if i was was to setup a vpn between an
> > >external site and our Checkpoint NG AI and the exteranl site was 
using
>an
> > >internal address range of 172.20..x.x, and their firewall gateway was
> > >80.x.x.x., could i use the gateway 80.x.x.x address for the 
encryption
> > >doamin for the external site? therefoe same IP for gateway and 
topoloy.
> > >Would this work? would i need any nat rules ?
> > >
> > > Or does if specifically need to be an address that is routable?
> > >
> > > Hoping to do this using the simpified mode
> > >
> > > Thanks for your help guys
> > >
> > > __________________________________________________
> > >Do You Yahoo!?
> > >Tired of spam? Yahoo! Mail has the best spam protection around
> > >http://mail.yahoo.com
> > >
> > >=================================================
> > >To set vacation, Out-Of-Office, or away messages,
> > >send an email to [EMAIL PROTECTED]
> > >in the BODY of the email add:
> > >set fw-1-mailinglist nomail
> > >=================================================
> > >To unsubscribe from this mailing list,
> > >please see the instructions at
> > >http://www.checkpoint.com/services/mailing.html
> > >=================================================
> > >If you have any questions on how to change your
> > >subscription options, email
> > >[EMAIL PROTECTED]
> > >=================================================
> >
> >=================================================
> >To set vacation, Out-Of-Office, or away messages,
> >send an email to [EMAIL PROTECTED]
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
> >http://www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your
> >subscription options, email
> >[EMAIL PROTECTED]
> >=================================================
> >
> >
> > __________________________________________________
> >Do You Yahoo!?
> >Tired of spam? Yahoo! Mail has the best spam protection around
> >http://mail.yahoo.com
> >
> >=================================================
> >To set vacation, Out-Of-Office, or away messages,
> >send an email to [EMAIL PROTECTED]
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
> >http://www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your
> >subscription options, email
> >[EMAIL PROTECTED]
> >=================================================
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to [EMAIL PROTECTED]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[EMAIL PROTECTED]
>=================================================
>
>
> __________________________________________________
>Do You Yahoo!?
>Tired of spam? Yahoo! Mail has the best spam protection around
>http://mail.yahoo.com

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================


 __________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================