Hi guys,
I have an issue that was solved using Juniper boxes. Guess if there´s any
way to implement
it using Checkpoint :
Scenario :
Datacenter as center of the internal network and one Cluster of two
VPN-1 Power gateways.
3 countries with border firewalls attached to Internet.
All four countries are connected internally using an MPLS network.
Problem :
Need to wait for a local IronPort Anti-Spam solution at each of the remote
3 countries and need
a SMTP MX entry point on each country.
Cannot use only Static Nat ´cause the back traffic of each connection must
flow the same way
as entered.
Exemple : if a conection arrives at UK firewall and cames from internet,
it will be NATed and
directed internally, pass thru the headquarter´s firewall and delivered at
the SMTP server, but
when this server answers, traffic must follow back thru HQ´s firewall,
follow UK´s network path
and exit to the internet.
Source nat cannot be used as the IronPort must check incomming IP at each
smtp session.
Solution applied using Juniper firewalls :
Between the HQ´s firewall and the IronPort firewall was placed a Juniper
firewall. IP address of
the IronPort was changed to a new from the Juniper internal network and
all DNS changes and
HQ´s NAT config was done to comply with this change.
At each border firewall is created a Tunnel interface with a false IP
address ( 192.168.xxx.1 ) and
one route to the HQ´s Juniper internal network thru the other end of the
Tunnel´s ip address.
Tunnels runs with basic encription and shared keys to a new Juniper next
to the Ironport server.
At the Juniper firewall next to Ironport server were created 3 new virtual
routers with one Tunnel
each. These tunnels also have false ip address (192.168.xxx.2) and a
default route to the other
end of the tunnel´s ip address ( 192.168.xxx.1 ).
Example :
From an Internet linux site i did opened a FTP session to the NAT ip in UK
and uploaded 1Gb file
and everything was accepted at UK´s firewall, sent to HQ´s firewall thru
the tunnel and reached
the testing FTP server and all control traffic flew back thru the tunnel.
While that, other FTP session was started from the same linux site to the
NAT ip in HQ and also
uploaded other 1Gb file and everything was accepted at HQ´s firewall, sent
to the server and
all control traffic flew back thru HQ site´s internet link.
All connections started in the testing FTP server to any internet site
will follow the HQ´s default
gateway path and will never follow thru the ipsec tunnels.
What made this possible
Ibound and outbound interface of each session is stored into Statefull
Inspection control tables
at Juniper firewalls.
Once the inbound traffic is accepted from an interface, the outbound back
traffic will allways
exit thru the same interface
Current task
Perform the same solution with Checkpoint using remote Juniper firewalls
as tunnel peers.
[]'S
--
Antonio Costa
[EMAIL PROTECTED]
TI - Analista de Redes e Segurança
CCSE PLus / CCNA
MCSE / LinuxAdmin
Odebrecht Engenharia e Construção
Matriz Villa Lobos - São Paulo/SP
Av. Nações Unidas 4777, 11o. Andar
Tel.: +55-11-3443-9813/9000
Fax.: +55-11-3443-9861
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
