Hello all, P.S. >> Mr. Reinhard Stich I was a Checkpoint student of
yours...Help! Please!
Need Site to Site VPN, allowing bidirectional traffic from 10.10.10.0/24
to 192.168.1.0/24, OR allowing from 10.10.10.0/24 to the
192.168.1.0/24's NATed Public 198.x.x.x/24.
Could the only way to accomplish this be to create routes via the UTM-1
GUI??
note: own and use two class C address spaces
Issue: Remote VPN sites (in Wired Mode) can not access the DMZ's Private
Address space by name or IP. Tracker shows receive and accept of all
Remote VPN site traffic OK. DNS resolves DMZ to Private Address Space.
All works OK internally from users' public IPs to DMZs private IPs.
Assuming NAT on FW for DMZ is working OK since folks accessing DMZ from
external source get to DMZ via "real" Public IP. Remote VPN sites can
access both ClassC address spaces OK by IP. Remote VPN sites can access
ClassC#2 by name and IP OK. DMZ Servers (all with Private IP) can not
access Remote VPN Sites (pings get no response), though Tracker shows
receive and accept of traffic. Tracker always shows receive and accept
for whatever service to whatever destination in the tunnel. No drops,
no rejects.
Environment:
Main Ofc: {FW 1} UTM1 SecurePlatfrom Appliance
External- Public IP/24 ClassC#1
Internal- Public IP/24 ClassC#2 >> note all client machines behind {FW
1} have their own Public IP from this subnet
DMZ- Private IP/24 #1 >> NAT to Public IP/24 ClassC#1 (subnet of {FW 1}
External Interface)
DMZ servers all NAT to the Public IP ClassC#1 subnet.
Using Star Topology with {FW 1} as Center Gateway(don't want all
tunneled to each other-only to {FW 1})
Remote VPN Sites: {FW 2} All [EMAIL PROTECTED] 500U Appliances
All NAT from different 10.x.x.x /24 spaces to Internet using single
router IP
None have Public IP address space
Visually looks something like this:
Lan [197.x.x.x/24(C#1)] & [198.x.x.x/24 (C#2)] ; DMZ [192.168.1.0/24
NATing to C#1] --- {FW 1} --- Internet
--- Router w/Single Public IP --- {FW 2} --- 10.10.10.0/24
I've used everything I can think of and even had a real-deal Checkpoint
tech rep come out and look at our firewall. Now I have a third party
vendor coming out tomorrow and I'm still no closer to at least
understanding why this won't work. Though I've at least been able to
figure out that routes will work, I'd rather have everything being
accomplish through SmartDashboard rules and policies for ease of
administration and simplicity. I'm sure there are lots of people out
there doing the same thing...right?
Any insight will be MUCH appreciated.
Regards,
Kim Warden
=======================
Kim Warden
MPR Associates, Inc
320 King St
Alexandria, VA 22314
Ph: 703-519-0200
Fax: 703-519-0224
Direct: 703-519-0544
=======================
Scanned by Check Point Total Security Gateway.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
