RE: [fw-wiz] Remote Access via Checkpoint VPN
From: Orca (klrorca_at_hotmail.com)
Date: 08/21/04
- Previous message: Marcus J. Ranum: "Re: [fw-wiz] Top Secret DOD Data over the Public Internet? Thoughts?"
- In reply to: Desai, Ashish: "RE: [fw-wiz] Remote Access via Checkpoint VPN"
- Next in thread: Devdas Bhagat: "Re: [fw-wiz] Remote Access via Checkpoint VPN"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <firewall-wizards@honor.icsalabs.com> Date: Fri, 20 Aug 2004 16:48:11 -0700
That is a bit harsh,
You can put a 10.X space towards the internet, it just won't do any good, as
nobody will route RFC1918 spaces.
That being said judging from his notes there a router providing NAT on the
"internet" side of his fire wall, correct? If so you also need to set your
NAT static routes to allow the VPN through, which should be something like
TCP port 50 for IPSEC UDP port 500 of IKE and TCP 264 for Checkpoint
topology download. There might be more, I have not used a checkpoint for a
while, check the docs.
You will also have to do this for the firewall itself, to let it get to the
DMZ.
The versions of checkpoint I used (again old) would not bind by any port but
the External, but they might have changed that. You can do this with a Cisco
box though.
-Steve
-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Desai,
Ashish
Sent: Wednesday, August 18, 2004 7:57 AM
To: Ludolph, Michel; firewall-wizards@honor.icsalabs.com
Subject: RE: [fw-wiz] Remote Access via Checkpoint VPN
You might want to read this BEFORE you try anything this X!@#$!#$
http://www.faqs.org/faqs/cisco-networking-faq/section-24.html
You CANNOT expose 10.x address space to the Internet!!!!!
Ashish
-----Original Message-----
From: Ludolph, Michel [mailto:Michel.Ludolph@atosorigin.com]
Sent: Tuesday, August 17, 2004 4:52 AM
To: firewall-wizards@honor.icsalabs.com
Subject: [fw-wiz] Remote Access via Checkpoint VPN
Hello,
I have the following setup up with Checkpoint FW-1:
Internet------10.x.x.x--FW--10.x.x.x----- Internal network
|
|
|
20.20.20.20 (DMZ)
Pease note:
- the external FW-interface has a private IP-address (10.x.x.x).
- the DMZ FW-interface has a public IP-address (20.20.20.20 as an
example)
I would like to setup a VPN on the FW, to which a remote client can
connect via the Internet, using SecureClient. According to Checkpoint
documentation the VPN should bind to the FW-external interface. This is
the problem, my FW-external interface has a private IP-address, which is
not routable via the Internet. In order to make this working I would
like the VPN to bind to the DMZ-interface (20.20.20.20) instead of the
external interface.
Has anyone setup such a VPN and does it work or do you have any
suggestions?
Thanks for your help.
michelDOTludolphATatosoriginDOTcom
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Marcus J. Ranum: "Re: [fw-wiz] Top Secret DOD Data over the Public Internet? Thoughts?"
- In reply to: Desai, Ashish: "RE: [fw-wiz] Remote Access via Checkpoint VPN"
- Next in thread: Devdas Bhagat: "Re: [fw-wiz] Remote Access via Checkpoint VPN"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
