Hi Joseph,
now that I am done laughing about this idea, I'll have to admit that's actually
doable. It's an odd config, but it'll likely work. Not that I have personally
tested a setup like this, mind you.
Assuming that you only have one (1) site-to-site VPN to worry about, this is
what you'd do:
Create a simple group 'my-local-enc-domain', bung your LAN, DMZ, and whatever
else you have on your site in there.
Create a group with exclusion 'cosine-enc-domain', make it to be "Any" with the
Exception of "my-local-enc-domain". However --- see below for a better way of
doing this!
Assign 'my-local-enc-domain' to your gateway or cluster object, and
'cosine-enc-domain' to the Interoperable Device object you created for the
cosine. You did use an Interoperable Device for the cosine, didn't you?
Now, one further issue will be NAT in this VPN. Typically, you have no-NAT
rules something like this:
my-enc-domain their-enc-domain Any Original Original Original
their-enc-domain my-enc-domain Any Original Original Original
(Or use the "don't NAT this stuff" option in the VPN Community if using
Simplified Mode, of course)
That doesn't work in this case, since 'their-enc-domain' is an exclusion group
from "Any". You'd kill essentially all NAT this way. So, you'll have to
actually use NAT for this VPN. Or - maybe you don't.
For there is, then, a better way of doing things. Assuming that the guys behind
the Cosine device cook with water like everybody else, create a couple networks
and a group:
network private-10.0-8 10.0.0.0 255.0.0.0
network private-172.16-12 172.16.0.0 255.240.0.0
network private-192.168-16 192.168.0.0 255.255.0.0
simple group rfc1918-nets private-10.0-8 private-172.16-12 private 192.168-16
Now define your 'cosine-enc-domain' to be Objects in "rfc1918-nets" except
"my-local-enc-domain". This way, you can use No-NAT rules without screwing up
NAT for public (Internet) addresses.
If you have more than one site-to-site VPN, this would still work, just that
now you'd create an extra group 'all-enc-domains-except-cosine' which contains
all the individual encryption domains of your firewall(s) and your partner
firewall(s) with the exception of the cosine; and then choose
"all-enc-domains-except-cosine" as your exclusion for the "cosine-enc-domain"
exclusion group.
Regards
Thorsten Behrens
Senior Security Engineer
CCMSE CCSE+ CCNA CNE
INTEGRALIS
Your Trusted Security Partner
111 Founders Plaza
13th Floor
East Hartford, CT 06108
USA
Tel: +1 860 291 0851 x 2244
Fax: +1 860 291 0847
thorsten.behrens AT integralis DOT com
www.integralis.com
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM]On Behalf Of Joseph
> CharlesWalcott
> Sent: Thursday, November 18, 2004 7:23 PM
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: [FW-1] How do I define Encryption Domain of "ANY"
>
>
> Hello Guys.
>
> I am trying to configure my Check Point NG FP3 to do a
> site-to-site VPN
> with a Cosine device [similar in setup to a Cisco Pix].
>
> We tested everything and it works fine. However because this device [
> the Cosine] will be routing traffic from many [probably over 40]
> different networks, and new networks will be added all the
> time, we want
> to set the encryption domain for the Cosine as "ANY" or "ALL"
> networks.
>
Please note that:
1. This e-mail may constitute privileged information. If you are not the
intended recipient, you have received this confidential email and any
attachments transmitted with it in error and you must not disclose, copy,
circulate or in any other way use or rely on this information.
2. E-mails to and from the company are monitored for operational reasons and in
accordance with lawful business practices.
3. The contents of this email are those of the individual and do not
necessarily represent the views of the company.
4. The company does not conclude contracts by email and all negotiations are
subject to contract.
5. The company accepts no responsibility once an e-mail and any attachments is
sent.
http://www.integralis.com
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
