[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] Gauntlet VPN through FW-1
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Does anyone have any experience allowing Gauntlet VPN traffic to pass through Firewall-1 unobstructed? The problem is thus: We have a 'partner' company who wants to utilise our connection to the internet (for a fee), and get rid of their own connection. So far we've been successful swapping MX pointers and mail-bagging for them, and providing Web proxy services (both fairly easy to implement), but we have a problem delivering their IPSec traffic. The external interface of their Gauntlet firewall will be an RFC 1918 address in the 192.168.x.x range. We need to somehow NAT the traffic to them without breaking the tunnel (ESTD). I have a proxy arp set up on the external interface of our firewall for their VPN clients to connect to, and I am NATing that address to the external address of the Gauntlet firewall. I am getting the traffic and passing it on (it hits the router at the far end), but doesn't seem to set up a tunnel. They are using IKE with ESP, so I didn't expect the NAT to have any effect - but I don't know enough about Gauntlet to know how that works (or doesn't). Has anyone got any experience in setting up this kind of convoluted system. Unfortunately, I'm not likely to convince them to buy an IP330 to solve the problem... Kind Regards, Craig Little BSc, CPD, CPI, SCJP, CCSA, CCSE Inter-Networking / Security Consultant Shell Services International Phone: +64 4 462 4661 Fax: +64 4 463 4060 Mobile: +64 21 37 5858 PGP Fingerprint F3CE 6EB2 6B1A 10EA E355 A157 8012 D53A 6AE5 962F mailto:[email protected] http://www.shellservices.com By default attachments are compressed in WinZip format. If you cannot read them, please contact you Help Desk to have the WinZip utility installed. WinZip can be downloaded for free at http://www.winzip.com. This e-mail message and attachments are confidential between the intended parties and may be subject to legal privilege. If you have received this e-mail in error, please advise the sender immediately and destroy the message and any attachments. If you are not the intended recipient you are notified that any use, distribution, amendment, copying or any action taken or omitted to be taken in reliance of this message or attachments is prohibited. - -----Original Message----- From: Mark Ingles [mailto:[email protected]] Sent: Wednesday, 6 September 2000 3:02 p.m. To: Rajesh Bandar; [email protected] Subject: Re: [FW1] Security question If your web server is exploited, then the attacker will have unrestricted access to your internal network. A better solution would be to place the web server in a "public network" or DMZ where the evil Internet only has access to its http server, but the web server itself doesn't have any access to your internal network. This way, when your server is hacked, the attacker still has to go through the firewall to get to the internal network. HTH - Mark Ingles At 10:02 PM 9/5/2000, Rajesh Bandar wrote: >Hi All, > >I have a web server running on the internal network (172.16.0.6). I >want to allow internet people to access the web server. So I am >thinking to do NAT for >the web server host and allow http service. Are there any security >issues if I >do that. > >I would appreciate any suggestions on this. > >Thanks, >Rajesh. ====================================================================== ========== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ====================================================================== ========== -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com> iQA/AwUBObUdLIAS1Tpq5ZYvEQK1GACg0KLYCsGypURtDq0HTtSmA1EgFtgAoIVW nDvVY8sggF4OLB4zm6KKs4lW =Bzhv -----END PGP SIGNATURE----- ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|