Firewall Wizards mailing list archives
network design problem with FW-1
From: Bret Watson <lists () ticm com>
Date: Fri, 17 May 2002 10:05:04 +0800
Hi All,got an interesting design problem. Gut instinct says it should work, but checkpoint assures me it won't - I'd like a second opinion :}...
OK there is a branch office that is connected back to the head office via an un-partitioned WAN (ie. the WAN is directly connected to the HQ LAN and the branch office LAN). The branch office also is connected to the internet. The IT dept want to enable a VPN tunnel from the branch office to the HQ over the internet because teh bandwidth is cheaper. But they want to keep the WAN connection for redundancy. Security wants to partition the WAN at teh branch office end, because this particular branch office is prone to doing unsecure things without telling anyone - the branch office is 13 hours flight away so its not so easy to find out...
SO this is what the branch office FW woudl look like VPN via Internet to HQ | WAN to HQ-----------------FW | Branch Office LANBUT - FW-1 does not seem to be able to have a rule for the VPN tunnel at the same time as a rule for the office LAN to the HQ connection. Apparently the reason is that both src & dst entries will be the same and FW-1 cannot differentiate between the two. Since the VPN side needs to have "Encrypt" on the rule it all falls down...
Any advice? Thanks, Bret _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- network design problem with FW-1 Bret Watson (May 17)