Re: [FW-1] SR - NG - Excluding host(s) from class b encryption domain

Fri, 24 Jan 2003 09:29:19 -0800 

Ryan, Kennedy wrote:

Good Day,

Our OWA server address falls within the  VPN Gateway's (NG FP2) encryption
domain, a class B network address (e.g. 10.10.0.0/16).

[...]

We'd like to know how to get secureclient to realize that traffic for this
host (10.10.0.1/32) should not be encrypted, essentially creating an
"exception" for this host from the encryption domain.

We'd like to do this without having to create lots(!) of class c network
address objects for an encryption domain group.

You won't need lots of Class-C's. With that idio... ah... suboptimal
address for the OWA you can route around with less subnets, namely the
8-14 networks listed below.

       10.10.128.0/17
       10.10.64.0/18
       10.10.32.0/19
       10.10.16.0/20
       10.10.8.0/21
       10.10.4.0/22
       10.10.2.0/23
       10.10.1.0/24
and probably (depending on your OWA's network)
       10.10.1.128/25
       10.10.1.64/26
       10.10.1.32/28
       10.10.1.16/29
       10.10.1.8/30
       10.10.1.4/31

But quite probably it would be much easier to move the OWA "out of the
way" and give it an IP address that does not block a complete class B
subnet from proper routing.


I once ran into a similar (inherited) situation on a firewall:
       DMZ     10.0.0.0/255
       inside  10.x.y.0/18
       outside remaining 10.*
       default route to internal
The routing table was quite a nightmare, so one practical network design
rule got ingrained into my memory:
       NEVER choose an IP address with a "0"
       that cannot be replaced by a "*"

Bye

Volker Tanger
IT-Security Consulting

--
discon gmbh
Wrangelstra�e 100
D-10997 Berlin

fon    +49 30 6104-3307
fax    +49 30 6104-3461

[EMAIL PROTECTED]
http://www.discon.de/

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

Reply via email to