I guess that the NAT is not going to be too much of a problem - just make
sure that your NAT rule for the site-to-site goes above the general hide
rule for all other traffic.
What I don't understand is how they expect the return traffic to route
back to your external segment - surely your source NAT address should be
within your external subnet.
Good luck!
Julian Burton
----------------------------------------------------------------------------------------
This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery. NOTE: Regardless of content, this e-mail shall not operate to
bind CSC to any order or other contract unless pursuant to explicit
written agreement or government initiative expressly permitting the use of
e-mail for such purpose.
----------------------------------------------------------------------------------------
Jon Allingham <jallingham
@LEAPSTONE.COM>
Sent by: Mailing list for discussion of Firewall-1 <FW-1-MAILINGLIST
26/04/2004 17:06
Please respond to Mailing list for discussion of Firewall-1
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
cc:
Subject: [FW-1] VPN NAT configuration question
I need to set up a site-site VPN with another company. The configuration
is different from what I usually do in that they require us to NAT our
sources to an IP address that they specify. Apparently this is for
several unavoidable reasons - this allows them to control their routing
in a fashion to meet their security policies and avoid any conflicts,
and their VPN device can't do this bidirectional so part of it has to be
done on my end.
I've never tried to configure something like this. Is it simply a matter
of going into the Address Translation tab and setting the translated
packet source address in the outbound direction to the specified NAT
address?
Since I set my NAT address in general for outgoing traffic on the
network object representing all my internal networks and not on the
firewall object, I presume I can't just create a new network object for
this with a NAT setting since that would interfere with my normal NAT.
Anything else I need to worry about when configuring this?
This is with CP NG-AI R55 on Solaris. I don't know what the other end
is; it wasn't one I had ever heard of.
FWIW, the VPN parameters are expected to be 3DES with MD5.
--
Jon Allingham
Leapstone Systems
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
