Really good. I have always prefered traditionnal mode to simplified one. You mail arrived while I was writing an answer. After reading it I thought that it was so well written that I could just continue and go to lunch.
Cheers Christian -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] Behalf Of cisco4ng Sent: jeudi, 17. août 2006 14:14 To: [email protected] Subject: Re: [FW-1] VPN domain and non-encrypted traffic "Hi Christian, Yes both LAN_1 and LAN_2, as well as the firewall on my end have valid public IP addresses. LAN_X however is RFC1918 with 10.0.0.0/24 IP addresses with NAT on the firewall of LAN_X for this network." The problem here is that LAN_X is "hide" NAT to the firewall external interface for going out to the Internet. You must be using VPN in simplified mode right? The problem with simplified mode the firewall itself (i.e. the External IP address" is also part of the Encryption domain. Therefore, when traffics from LAX_X hit LAN_2, even the firewall on the other end send it out in clear text traffic, your firewall will see at "encrypted" traffic because LAN_X is "hide" NAT to the firewall External IP address of the remote firewall. This is a stupid VPN design from checkpoint if you ask me. You will see this issue a lot if you set VPN between Cisco devices and Checkpoint firewall. Solution: 1) "hide" NAT LAN_X to a public IP address other than the firewall public IP address 2) switch from "simplified" mode VPN to traditional mode VPN. That, by default, will take the firewall itself from the encryption domain and LAN_X will be able to communicate with LAN_2 without issues. Good luck to you. cisco4ng Christian ALT <[EMAIL PROTECTED]> wrote: I guess that LAN_2 is not an official IP network or is it? Because this configuration as you describe it is possible. LAN_2 should be accessed by a different IP address than the firewall itself. If you are more specific with addresses, I should be able to help you further. Bye for now, Christian ALT Telecom and Logistics Associates Network Security Company http://www.tla.ch -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] Behalf Of Mark Pace Balzan Sent: mercredi, 16. aout 2006 14:38 To: [email protected] Subject: [FW-1] VPN domain and non-encrypted traffic Hi all, I have a module and mgmt on the same machine running splat NG-AI R55. The vpn domain for this gateway is defined as LAN_1 and LAN_2, which are separate networks behind this firewall. A VPN exists between this firewall and another firewall, call it FW_X protecting LAN_X (I don't have access to the firewall, since it belongs to someone else). People in LAN_X can access parts of LAN_1 on my network via the encrypted VPN as expected - I have a rule on my firewall like this: SRC: LAN_X DST: LAN_1 SVC: any VIA: COMMUNITY_X Action: Accept The Problem: On LAN_2 there are some public services, which I would like LAN_X and all the rest of the world to access unencrypted. For this I have a rule like this (which is after the rule above in my policy): SRC: ANY DST: LAN_2 SVC: smtp, http, ftp VIA: ANY Action: Accept All the world can access services on LAN_2, but LAN_X cannot, and the firewall is complaining about: 'encryption failure: Received a cleartext packet within an encrypted connection' What is the expected behaviour of FW1 - Is it possible to have traffic from LAN_X to LAN_2 to go through un-encrypted ? I would have expected this to be possible but on my setup it is not working, so I would like to know if I should be doing further troubleshooting of my config, or else if this is a limitation that cannot be overcome, then I should not need any further troubleshooting. Removing LAN_2 from my VPN domain allows the traffic to flow unencrypted, but this is not a good solution since it breaks other things for me. Thanks to all Mark ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= --------------------------------- Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2¢/min or less. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
