[prev in list] [next in list] [prev in thread] [next in thread]
List: firewall-1
Subject: Re: [FW-1] FW to FW VPN Question
From: "O'Brien, James" <JOBrien () HUNTER ! COM>
Date: 2002-08-30 18:10:30
[Download RAW message or body]
Put your site to site encryption rules at the beginning of the rulebase, and
make sure your default routes are setup properly.
-----Original Message-----
From: Morton, Matthew [mailto:mmorton@BALL.COM]
Sent: Friday, August 30, 2002 9:50 AM
To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
Subject: [FW-1] FW to FW VPN Question
Hi all,
Question,
In a FW to FW vpn connecting as follows (LAN to LAN), how can I force all
traffic through the vpn tunnel...in other words how do I avoid the local
default route taking precedence over and routing encrypted traffic out the
local ISP connection.
Remote Office: DSL connection to the internet and Checkpoint Firewall
(Local Default Route is the FW which defaults to the local DSL connection)
Central Office: Several T1s to the internet and Checkpoint Firewall
All FWs are running Checkpoint NG FP2 using the same internal address space
We can create a rule to encrypt all traffic (local encryption domain to
remote encryption domain) but local internet connections etc., still get
routed out the local DSL link. We don't want any split tunneling happening
at the remote site. Is it possible to make the rulebase action happen
before the routing decision?
Any help is greatly appreciated.
Matt.
[Attachment #3 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<html xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 10">
<meta name=Originator content="Microsoft Word 10">
<link rel=File-List href="cid:filelist.xml@01C25026.9D3BDA80">
<title>FW to FW VPN Question</title>
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:DoNotRelyOnCSS/>
</o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:SpellingState>Clean</w:SpellingState>
<w:GrammarState>Clean</w:GrammarState>
<w:DocumentKind>DocumentEmail</w:DocumentKind>
<w:EnvelopeVis/>
<w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
</w:WordDocument>
</xml><![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;
mso-font-charset:0;
mso-generic-font-family:swiss;
mso-font-pitch:variable;
mso-font-signature:553679495 -2147483648 8 0 66047 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-parent:"";
margin:0in;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;
text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;
text-underline:single;}
p
{mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
span.EmailStyle18
{mso-style-type:personal-reply;
mso-style-noshow:yes;
mso-ansi-font-size:10.0pt;
mso-bidi-font-size:10.0pt;
font-family:Arial;
mso-ascii-font-family:Arial;
mso-hansi-font-family:Arial;
mso-bidi-font-family:Arial;
color:navy;}
span.SpellE
{mso-style-name:"";
mso-spl-e:yes;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;
mso-header-margin:.5in;
mso-footer-margin:.5in;
mso-paper-source:0;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";}
</style>
<![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple style='tab-interval:.5in'>
<div class=Section1>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Put your site to site encryption rules at
the beginning of the <span class=SpellE>rulebase</span>, and make sure your
default routes are setup properly.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Tahoma><span
style='font-size:10.0pt;font-family:Tahoma'>-----Original Message-----<br>
<b><span style='font-weight:bold'>From:</span></b> Morton, Matthew
[mailto:mmorton@BALL.COM] <br>
<b><span style='font-weight:bold'>Sent:</span></b> Friday, August 30, 2002 9:50
AM<br>
<b><span style='font-weight:bold'>To:</span></b>
FW-1-MAILINGLIST@beethoven.us.checkpoint.com<br>
<b><span style='font-weight:bold'>Subject:</span></b> [FW-1] FW to FW VPN
Question</span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p style='margin-left:.5in'><font size=2 face=Arial><span style='font-size:
10.0pt;font-family:Arial'>Hi all,</span></font> <br>
<font size=2 face=Arial><span \
style='font-size:10.0pt;font-family:Arial'>Question,</span></font> <br>
<font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>In a
FW to FW vpn connecting as follows (LAN to LAN), how can I force all traffic
through the vpn tunnel...in other words how do I avoid the local default route
taking precedence over and routing encrypted traffic out the local ISP
connection.</span></font><o:p></o:p></p>
<p class=MsoNormal style='margin-left:.5in'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p style='margin-left:.5in'><font size=2 face=Arial><span style='font-size:
10.0pt;font-family:Arial'>Remote Office: DSL connection to the internet
and Checkpoint Firewall (Local Default Route is the FW which defaults to
the local DSL connection)</span></font><o:p></o:p></p>
<p style='margin-left:.5in'><font size=2 face=Arial><span style='font-size:
10.0pt;font-family:Arial'>Central Office: Several T1s to the
internet and Checkpoint Firewall</span></font> <o:p></o:p></p>
<p style='margin-left:.5in'><font size=2 face=Arial><span style='font-size:
10.0pt;font-family:Arial'>All FWs are running Checkpoint NG FP2 using the same
internal address space</span></font> <o:p></o:p></p>
<p style='margin-left:.5in'><font size=2 face=Arial><span style='font-size:
10.0pt;font-family:Arial'>We can create a rule to encrypt all traffic (local
encryption domain to remote encryption domain) but local internet connections
etc., still get routed out the local DSL link. We don't want any split
tunneling happening at the remote site. Is it possible to make the
rulebase action happen before the routing decision?</span></font><o:p></o:p></p>
<p style='margin-left:.5in'><font size=2 face=Arial><span style='font-size:
10.0pt;font-family:Arial'>Any help is greatly appreciated.</span></font> <br>
<font size=2 face=Arial><span \
style='font-size:10.0pt;font-family:Arial'>Matt.</span></font> <o:p></o:p></p>
</div>
</body>
</html>
=================================================
To set vacation, Out Of Office, or away messages,
send an email to LISTSERV@lists.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic