When you use the encryption such as below in the same rule
neta netb encrypt
netb neta encrypt
What happens is the fw will attempt to encrypt broadcast traffic to itself
and will fail, hence giving the "connected to same gateway error"
Seperating this into two seperate rules keeps this from happening. More of
an eyesore than anything.
Thomas Poole
-----Original Message-----
From: Jarmoc, Jeff [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 29, 2000 2:05 PM
To: 'Frank Darden'; 'Peter Currall';
'[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'
Subject: RE: [FW1] VPN Between Two Illegal Networks
I've only seen that message you're referring too when the encryption domains
overlap, but I may be mistaken.
-----Original Message-----
From: Frank Darden [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 29, 2000 12:05 PM
To: Jarmoc, Jeff; 'Peter Currall';
'[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'
Subject: RE: [FW1] VPN Between Two Illegal Networks
It has been my understanding that if you do this with one rule, youll get
the "Gateway connected to both endpoints" failures, but encryption will
still work.
Frank
-----Original Message-----
From: Jarmoc, Jeff [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 29, 2000 12:26 PM
To: 'Peter Currall'; '[EMAIL PROTECTED]';
'[EMAIL PROTECTED]'
Subject: RE: [FW1] VPN Between Two Illegal Networks
Well, I meant that as one rule, not two.. my apologies if I wasn't clear.
Either way will work, though I'd prefer to keep my rulebase smaller.
-----Original Message-----
From: Peter Currall [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 29, 2000 10:51 AM
To: '[EMAIL PROTECTED]';
'[EMAIL PROTECTED]'
Subject: RE: [FW1] VPN Between Two Illegal Networks
I think that should be:
NetA to NetB encrypt
NetB to NetA encrypt
You also need to consider NAT on the firewall if you are using Hide Mode NAT
for your internal network clients (to surf the web):
Original packet Translated packet
Source Dest Service Source
Dest Serv
Net_Int Net_Int Any =original orig.
orig.
net_int any any [object you are hiding behind)
orig. orig.
I'd recommend IKE as you encryption method for compatibility with other
firewalls.
-----Original Message-----
From: Jarmoc, Jeff [mailto:[EMAIL PROTECTED]]
Sent: 29 August 2000 16:11
To: 'Steve'; [EMAIL PROTECTED]
Subject: RE: [FW1] VPN Between Two Illegal Networks
That's pretty much the best reason to use VPNs in my opinion. You'll have
to use some sort of NAT though. If their aren't enough IPs in your routable
Class C, use Hide mode NAT. Here's what you need to do;
Set NetA's network object as FWmachineA's encryption domain
Set NetB's network object as FWmachineB's encryption domain
Make sure each firewall has encapsulation on (if necessary, depending on
what encryption scheme you're using)
Add an encrypt rule on each firewall as follows;
For FWMachine A
SOURCE DEST Action Log
NetA NetA Encrypt Whatever you want, Long
NetB NetB
You'll still need to check the properties of your encryption action, and
your policy properties to make sure everything is set up right, but those
are the basic steps.. Check out http://www.phoneboy.com/fw1/encryption.html
for more detailed information.
Jeff Jarmoc - CCNA, MCSE
Network Analyst - Grubb & Ellis
847.753.7617
mailto:[EMAIL PROTECTED]
-----Original Message-----
From: Steve [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 29, 2000 9:40 AM
To: [EMAIL PROTECTED]
Subject: [FW1] VPN Between Two Illegal Networks
Hi,
Is it possible to set up a VPN between two illegal internal networks that
routes across the Internet?
Example:
netA -- (le0) FWmachineA (le1) -- internet -- (le1) FWmachineB (le0) -- netB
Where:
netA is an illegal internal network
netB is an illegal internal network
FWmachineA le1 has a valid Class C IP address
FWmachineB le1 has a valid Class C IP address
With an encrypted VPN how does a host on netA route to a host on netB
(without using NAT - not enough class C addresses available)?
Cheers,
-Steve
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
