Re: [FW-1] Design Question with Checkpoint

Subject:	Re: [FW-1] Design Question with Checkpoint
From:	Reinhard Stich <r.stich AT INTERNET-SECURITY DOT AT>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Wed, 25 May 2005 07:44:53 +0200

hi,

first of all: NAT is not a problem for an up-to-date VPN-client. there is a
feature "nat traversal" that makes VPN work. but you will need more ports
than only port 80 - so maybe you can allow <any> port from this guest-dmz.
the next think is that the guest-network should not be the same IP as he
guest's company network. so don't use a 10.x.x.x IP - use a 172.16-32.x.x,
they are not that much in use. but still there is a chance that your guest
will use a 172-ip in his company network - then maybe his VPN-client is
able to deal with that, if not -> bad luck.

hope this helps
reinhard

At 02:02 25.05.2005, you wrote:

Hi Guys,

I had a design question which I wanted to run by you guys.

I wanted to create a VLAN for visitors and then have the checkpoint be
the gateway for the DMZ. With the appropriate rules in place, everything
seems to work for web browsing. Users are on DHCP on this vlan.

What do you do for users who need to connect to their company network
using IPSEC vpn clients? Everything I've read seems to make this task
quite difficult.

How have you handled this in your environment?


Cameron Kim


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================


--
Reinhard Stich  ASSIST  R.Stich AT internet-security DOT at
Internet Security AG,      1150 Wien, Johnstrasse 29
Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] Design Question with Checkpoint, Kim, Cameron Re: [FW-1] Design Question with Checkpoint, Reinhard Stich <= Re: [FW-1] Design Question with Checkpoint, Jean-Paul Baillon Re: [FW-1] Design Question with Checkpoint, cisco4ng

Previous by Date:	Re: [FW-1] Version of Mgmt Server, Reinhard Stich
Next by Date:	[FW-1] Delay response of Check Point Firewall-1 Gateway for SMTP connections., <Syed Abdul Hameed>
Previous by Thread:	[FW-1] Design Question with Checkpoint, Kim, Cameron
Next by Thread:	Re: [FW-1] Design Question with Checkpoint, Jean-Paul Baillon
Indexes:	[Date] [Thread] [Top] [All Lists]