Hi Simon/Kevin,
1) I can not do terminate IPSec on my 129.174.1.8 "External" interface with
this
customer because this customer is coming to me from a "private" Frame-relay
cloud. Therefore, I had to terminate the IPSec on the DMZ "External"
interface.
2) VPN domain is the same as you specified in your reply. No difference
there.
3) The customer is also relying on my Nokia to access the Internet when
network
is not traversing the IPSec tunnel. In other words, he wants his network
192.168.2.0/24 to get "hide" NAT to 129.174.1.8 when browsing the Internet.
As I've said before, this is not my design to begin but I have to support it
and
it works but I am afraid that this is something that neither CP or Nokia will
support.
It was design by a Cisco CCIE dude who is no longer with the company. I've
learned
a very important lesson along the way is that never let a CCIE design your
network.
Most of them are so "cisco" centric that they often forget there are other
firewall
vendors out there such as Juniper and Checkpoint. Being a CCIE security
myself,
I know.
Very good discussion. Thanks.
Simon Kowallik <simon AT offlineprovider DOT de> wrote:
Hi cisco4ng,
routing between external interfaces works fine with unlimited licenses.
You can utilize multiple external interfaces on limited licensed modules
but not route between them. See skI2989
Your vpn setup is interesting. ;-)
Maybe you consider the following configuration:
Interface / Antispoofing / Topology
Internet / external
Internal / internal / 192.168.1/24
dmz / internal / 192.168.2/24, 192.168.25/24
Configure your cisco router to establish an ipsec vpn with 129.174.1.8
instead of 192.168.1.1.
VPN domain of your cisco router is 192.168.25/24.
VPN domain of your checkpoint gw is 192.168.1/24.
If you need to encrypt traffic to your dmz network 192.168.2/24 from
different other vpn sites too, you could define a group with exclusion
(objects in 192.168.25/24, 192.168.2/24 except 192.168.2.5).
Would like to hear feedback from you.
Regards,
Simon
cisco4ng wrote:
> Hi Everyone,
>
> I think I posted this question a few months back but I don't think
> there were any replies so hopefully someone have done this since
> then.
>
> Scenario:
> Nokia IP650 with External, Internal and DMZ interfaces
> IPSO: 3.7.1 build 024
> Checkpoint: NG with AI R55w and HFA_04
> Management Server: Provider-1 NG with AI R55w
> External: 129.174.1.8/24
> Internal: 192.168.1.1/24
> DMZ: 192.168.2.1/24
>
> I marked External interface as "External" in checkpoint
> topology and everything else as "Internal" and the firewall
> can do VPN with other firewalls on the Internet. That is
> not an issue.
>
> Now I have a device (Cisco Router) sitting on the DMZ network
> and behind the Cisco device is a network of 192.168.25.0/24.
> The External interface of the Cisco Router is 192.168.2.5/24.
> I would like to do site-to-site VPN between the IP650 and the
> Cisco device. The IPSec traffic will be between the "Internal"
> network behind the nokia (192.168.1.0/24) and the network
> behind the Cisco device (192.168.25.0/24). I also have another
> requirements that the network behind the Cisco device
> (192.168.25.0/24) will use the Nokia to go out to the Internet
> via "hide" NAT.
>
> Basically for the site-to-site VPN to work, I have to mark the
> DMZ interface in checkpoint topology as "EXTERNAL". Furthermore,
> I was able to "hide" NAT the network behind the Cisco device
> when browsing the Internet.
>
> However, this is very puzzling to me because I've been told by
> both Nokia and Checkpoint TACs that routing CAN NOT occur between
> to interfaces that are marked as "EXTERNAL" in Checkpoint topology
> due to security reasons. I was also told by various sources that
> with "unlimited" licenses, you CAN route between two "EXTERNAL"
> interfaces.
>
> What do you think?
>
> cisco4ng
>
>
> ---------------------------------
> Do you Yahoo!?
> Everyone is raving about the all-new Yahoo! Mail Beta.
>
> ---------------------------------
> Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates
> starting at 1¢/min.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------
Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+
countries) for 2¢/min or less.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
