RE: [FW1] Nokia FW-1/VPN-1 and SonicWall TELE2 interoperability

Dan Hitchcock Fri, 19 Jan 2001 17:44:05 -0800

The rules should look like this:

Rule    Source          Dest                    Action
-------------------------------------------------
1       check                   check                   encrypt
        sonicwall-1             sonicwall-1                     
        sonicwall-2             sonicwall-2

2       encrypt-domain  encrypt-domain  encrypt
        sonicnet-1              sonicnet-1
        sonicnet-2              sonicnet-2

Note that both actions are "encrypt".  Also note that this will obviously
not work if you need to use different encryption schemes or data integrity
methods (we use the same for all remote sites, so it isn't an issue here).
If you're using hide mode NAT out to the internet you'll also need to add a
NAT rule in order to contact the remote networks from a machine in
encrypt-domain:

        Original                                        Translated
source  dest            service source  dest            service
-------------------------------------------------------------------
encdomain   sonicnet-1  any             original        original
original
                sonicnet-2

I have left the objects out of a group for ease of readability, but I would
expect a group to behave identically.

Hope that helps - good luck!

Dan Hitchcock
Network Engineer
425.456.3970
[EMAIL PROTECTED]
Xylo, Inc.
The work/life solution for corporate thought leaders


-----Original Message-----
From: Pearrow, Mark [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 19, 2001 1:14 PM
To: 'Dan Hitchcock'
Subject: RE: [FW1] Nokia FW-1/VPN-1 and SonicWall TELE2 interoperability


Hi Dan,

Many thanks for your reply. So if you have two sonicwalls for example, you
need the following objects created to represent everything:

- Checkpoint firewall object ("check")
- Encryption domain object for behind the FW-1("encrypt-domain")

- Sonicwall workstation object 1 ("sonicwall-1")
- Sonicwall network 1 (private net behind sonicwall) ("sonicnet-1")

- Sonicwall workstation object 2 ("sonicwall-2")
- Sonicwall network 2 (private net behind sonicwall) ("sonicnet-2")

The sonicwall objects are configured to use IKE, 3DES with a pre-shared
secret. 

How do the two rules look exactly with regard to these objects? Like:

Rule    Source          Dest                    Action
-------------------------------------------------
1       check                   sonicwall-1             accept
        sonicwall-1             check                   accept

2       encrypt-domain  sonicnet-1              encrypt
        sonicnet-1              encrypt-domain  encrypt

Specifically, did you use a group to contain the sonicwall objects?

Thanks,

mjp


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================
RE: [FW1] Nokia FW-1/VPN-1 and SonicWall TELE2 interoperability

Reply via email to
