thanks for your replies Yes I use simplified mode.
So if LAN_X is hide NAT to a different public IP, not the one of the firewall, then LAN_X to LAN_2 traffic will be sent in the clear, and my firewall will accept it like this since NEW_HIDE_NAT IP is not part of the encryption domain. However will LAN_X to LAN_1 traffic that is sent as encrypted, still be accepted by my firewall if the NEW_HIDE_NAT IP is not in the encryption domain ? Thanks Mark ------------------------------ Date: Thu, 17 Aug 2006 05:14:28 -0700 From: cisco4ng <[EMAIL PROTECTED]> Subject: Re: VPN domain and non-encrypted traffic The problem here is that LAN_X is "hide" NAT to the firewall external interface for going out to the Internet. You must be using VPN in simplified mode right? The problem with simplified mode the firewall itself (i.e. the External IP address" is also part of the Encryption domain. Therefore, when traffics from LAX_X hit LAN_2, even the firewall on the other end send it out in clear text traffic, your firewall will see at "encrypted" traffic because LAN_X is "hide" NAT to the firewall External IP address of the remote firewall. This is a stupid VPN design from checkpoint if you ask me. You will see this issue a lot if you set VPN between Cisco devices and Checkpoint firewall. Solution: 1) "hide" NAT LAN_X to a public IP address other than the firewall public IP address 2) switch from "simplified" mode VPN to traditional mode VPN. That, by default, will take the firewall itself from the encryption domain and LAN_X will be able to communicate with LAN_2 without issues. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
