Hello,
I just went through this.
You define the encryption properties at the Community level - I used Meshed
communities. You'll notice there's no option there to set the timeouts based
on number of KB's but Checkpoint will ignore any sent by Cisco.
You define the externally managed Cisco as an "Interoperable Device" and assign
it an encryption domain. You'll need to know what hosts or networks they need
to use.
In regards to NAT. In the "VPN Advanced" settings you see a checkbox for
"Disable NAT in the VPN Community" leave this unchecked if you want to
translate your internal Addresses for the VPN connection.
Also, under "Tunnel Management" select the "Tunnel per host pair" option (that
wording may be slightly different).
"The strength of the Constitution lies entirely in the determination of each
citizen to defend it. Only if every single citizen feels duty bound to do his
share in this defense are the constitutional rights secure." - Albert Einstein
----- Original Message ----
From: Shane Presley <shane.presley AT GMAIL DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Sent: Wednesday, February 15, 2006 12:53:50 PM
Subject: [FW-1] NGX VPNs
Hi Folks,
I need to create a VPN between our CheckPoint firewall and an
externally managed Cisco router.
Our current infrastructure is NGX management console and NG AI firewall.
I remember back in the early NG days, there was an Action called
encrypt, where you would specify the peer and encryption properties
per rule.
That now seems to be done using communities? How would I setup the
object for this external router, and define it's encryption realm?
Also on my end, we want to NAT the traffic before we send it through
the tunnel. Is that just a regular NAT rule, and the firewall knows
to do the NAT first, before it creates the VPN?
Thanks
Shane
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
