Hi cisco4ng,
routing between external interfaces works fine with unlimited licenses.
You can utilize multiple external interfaces on limited licensed modules
but not route between them. See skI2989
Your vpn setup is interesting. ;-)
Maybe you consider the following configuration:
Interface / Antispoofing / Topology
Internet / external
Internal / internal / 192.168.1/24
dmz / internal / 192.168.2/24, 192.168.25/24
Configure your cisco router to establish an ipsec vpn with 129.174.1.8
instead of 192.168.1.1.
VPN domain of your cisco router is 192.168.25/24.
VPN domain of your checkpoint gw is 192.168.1/24.
If you need to encrypt traffic to your dmz network 192.168.2/24 from
different other vpn sites too, you could define a group with exclusion
(objects in 192.168.25/24, 192.168.2/24 except 192.168.2.5).
Would like to hear feedback from you.
Regards,
Simon
cisco4ng wrote:
> Hi Everyone,
>
> I think I posted this question a few months back but I don't think
> there were any replies so hopefully someone have done this since
> then.
>
> Scenario:
> Nokia IP650 with External, Internal and DMZ interfaces
> IPSO: 3.7.1 build 024
> Checkpoint: NG with AI R55w and HFA_04
> Management Server: Provider-1 NG with AI R55w
> External: 129.174.1.8/24
> Internal: 192.168.1.1/24
> DMZ: 192.168.2.1/24
>
> I marked External interface as "External" in checkpoint
> topology and everything else as "Internal" and the firewall
> can do VPN with other firewalls on the Internet. That is
> not an issue.
>
> Now I have a device (Cisco Router) sitting on the DMZ network
> and behind the Cisco device is a network of 192.168.25.0/24.
> The External interface of the Cisco Router is 192.168.2.5/24.
> I would like to do site-to-site VPN between the IP650 and the
> Cisco device. The IPSec traffic will be between the "Internal"
> network behind the nokia (192.168.1.0/24) and the network
> behind the Cisco device (192.168.25.0/24). I also have another
> requirements that the network behind the Cisco device
> (192.168.25.0/24) will use the Nokia to go out to the Internet
> via "hide" NAT.
>
> Basically for the site-to-site VPN to work, I have to mark the
> DMZ interface in checkpoint topology as "EXTERNAL". Furthermore,
> I was able to "hide" NAT the network behind the Cisco device
> when browsing the Internet.
>
> However, this is very puzzling to me because I've been told by
> both Nokia and Checkpoint TACs that routing CAN NOT occur between
> to interfaces that are marked as "EXTERNAL" in Checkpoint topology
> due to security reasons. I was also told by various sources that
> with "unlimited" licenses, you CAN route between two "EXTERNAL"
> interfaces.
>
> What do you think?
>
> cisco4ng
>
>
> ---------------------------------
> Do you Yahoo!?
> Everyone is raving about the all-new Yahoo! Mail Beta.
>
> ---------------------------------
> Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates
> starting at 1¢/min.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
