I guess that LAN_2 is not an official IP network or is it? Because this configuration as you describe it is possible. LAN_2 should be accessed by a different IP address than the firewall itself.
If you are more specific with addresses, I should be able to help you further. Bye for now, Christian ALT Telecom and Logistics Associates Network Security Company http://www.tla.ch -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] Behalf Of Mark Pace Balzan Sent: mercredi, 16. aout 2006 14:38 To: [email protected] Subject: [FW-1] VPN domain and non-encrypted traffic Hi all, I have a module and mgmt on the same machine running splat NG-AI R55. The vpn domain for this gateway is defined as LAN_1 and LAN_2, which are separate networks behind this firewall. A VPN exists between this firewall and another firewall, call it FW_X protecting LAN_X (I don't have access to the firewall, since it belongs to someone else). People in LAN_X can access parts of LAN_1 on my network via the encrypted VPN as expected - I have a rule on my firewall like this: SRC: LAN_X DST: LAN_1 SVC: any VIA: COMMUNITY_X Action: Accept The Problem: On LAN_2 there are some public services, which I would like LAN_X and all the rest of the world to access unencrypted. For this I have a rule like this (which is after the rule above in my policy): SRC: ANY DST: LAN_2 SVC: smtp, http, ftp VIA: ANY Action: Accept All the world can access services on LAN_2, but LAN_X cannot, and the firewall is complaining about: 'encryption failure: Received a cleartext packet within an encrypted connection' What is the expected behaviour of FW1 - Is it possible to have traffic from LAN_X to LAN_2 to go through un-encrypted ? I would have expected this to be possible but on my setup it is not working, so I would like to know if I should be doing further troubleshooting of my config, or else if this is a limitation that cannot be overcome, then I should not need any further troubleshooting. Removing LAN_2 from my VPN domain allows the traffic to flow unencrypted, but this is not a good solution since it breaks other things for me. Thanks to all Mark ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
