Accept ICMP requests: before last ? On 9/24/06, cisco4ng <[EMAIL PROTECTED]> wrote:
LAN_A---(i)Pix(o)---Internet---(Ext)CP_FW(Int)---LAN_B I have a site-to-site VPN between Cisco Pix and Checkpoint Firewall NGx. Traffics are encrypted bewtween LAN_A and VLAN_B without any NAT translation. Everything is working properly. I am using VPN simplified mode. One of the requirements is that LAN_A must be able to ping LAN_B and that the icmp traffics between LAN_A and LAN_B must be encrypted via IPSec I also have a requirement from the customer that from the Pix "outside" interface, the customer wants to be able to ping the Checkpoint "External" interface and that the icmp traffic will not be encrypted. The problem is that Checkpoint, by default, also includes the CP firewall itself, as part of the encryption domain. Yes, the icmp from the pix outside interface, will arrive to the CP External interface as "clear" but the CP expects this traffic to be encrypted. Well, I can exclude "icmp" from the VPN traffics but it also means that LAN_A, will not be able to ping LAN_B. With VPN "traditional" mode, the Checkpoint FW itself, by default, is NOT part of encryption domain but in simplified mode, it is. Is there a way to exclude the Checkpoint itself from the encryption domain in NGx in VPN "simplified" mode? Thanks. cisco4ng --------------------------------- Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
