[FW-1] Routing between two EXTERNAL interfaces

Subject:	[FW-1] Routing between two EXTERNAL interfaces
From:	cisco4ng <cisco4ng AT YAHOO DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Mon, 10 Jul 2006 08:09:31 -0700

Hi Everyone,
   
  I think I posted this question a few months back but I don't think
there were any replies so hopefully someone have done this since 
then.
   
  Scenario:
  Nokia IP650 with External, Internal and DMZ interfaces
IPSO:     3.7.1 build 024 
Checkpoint:  NG with AI R55w and HFA_04
Management Server: Provider-1 NG with AI R55w
External:  129.174.1.8/24
Internal:    192.168.1.1/24
DMZ:         192.168.2.1/24
  
I marked External interface as "External" in checkpoint
topology and everything else as "Internal" and the firewall
can do VPN with other firewalls on the Internet.  That is
not an issue.
   
  Now I have a device (Cisco Router) sitting on the DMZ network
and behind the Cisco device is a network of 192.168.25.0/24.
The External interface of the Cisco Router is 192.168.2.5/24.
  I would like to do site-to-site VPN between the IP650 and the
Cisco device.  The IPSec traffic will be between the "Internal"
network behind the nokia (192.168.1.0/24) and the network
behind the Cisco device (192.168.25.0/24). I also have another 
requirements that the network behind the Cisco device 
(192.168.25.0/24) will use the Nokia to go out to the Internet
via "hide" NAT.
   
  Basically for the site-to-site VPN to work, I have to mark the
DMZ interface in checkpoint topology as "EXTERNAL".  Furthermore,
I was able to "hide" NAT the network behind the Cisco device
when browsing the Internet.
   
  However, this is very puzzling to me because I've been told by
both Nokia and Checkpoint TACs that routing CAN NOT occur between
to interfaces that are marked as "EXTERNAL" in Checkpoint topology
due to security reasons.  I was also told by various sources that
with "unlimited" licenses, you CAN route between two "EXTERNAL"
interfaces.
   
  What do you think?
   
  cisco4ng

                
---------------------------------
Do you Yahoo!?
 Everyone is raving about the  all-new Yahoo! Mail Beta.
                
---------------------------------
Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls.  Great rates 
starting at 1¢/min.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] Routing between two EXTERNAL interfaces, cisco4ng <= Re: [FW-1] Routing between two EXTERNAL interfaces, Simon Kowallik Re: [FW-1] Routing between two EXTERNAL interfaces, cisco4ng Re: [FW-1] Routing between two EXTERNAL interfaces, Edouard Zorrilla

Previous by Date:	Re: [FW-1] PPTP/HIDE NAT, chkp tech
Next by Date:	Re: [FW-1] IFWD Nokia firewall, Marius Banica
Previous by Thread:	Re: [FW-1] External IP address as the IP of the object, Charalambos Klitiropoulos
Next by Thread:	Re: [FW-1] Routing between two EXTERNAL interfaces, Simon Kowallik
Indexes:	[Date] [Thread] [Top] [All Lists]