LAN_A---(i)Pix(o)---Internet---(Ext)CP_FW(Int)---LAN_B
I have a site-to-site VPN between Cisco Pix and Checkpoint
Firewall NGx. Traffics are encrypted bewtween LAN_A
and VLAN_B without any NAT translation. Everything
is working properly. I am using VPN simplified mode.
One of the requirements is that LAN_A must be able
to ping LAN_B and that the icmp traffics between LAN_A
and LAN_B must be encrypted via IPSec
I also have a requirement from the customer that from the
Pix "outside" interface, the customer wants to be able
to ping the Checkpoint "External" interface and that
the icmp traffic will not be encrypted. The problem is
that Checkpoint, by default, also includes the CP firewall
itself, as part of the encryption domain. Yes, the icmp
from the pix outside interface, will arrive to the CP
External interface as "clear" but the CP expects this
traffic to be encrypted.
Well, I can exclude "icmp" from the VPN traffics but
it also means that LAN_A, will not be able to ping LAN_B.
With VPN "traditional" mode, the Checkpoint FW itself, by
default, is NOT part of encryption domain but in
simplified mode, it is. Is there a way to exclude the
Checkpoint itself from the encryption domain in NGx in
VPN "simplified" mode?
Thanks.
cisco4ng
---------------------------------
Do you Yahoo!?
Everyone is raving about the all-new Yahoo! Mail.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
