[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] VPN tunnel using Nokia's IPSO?
Since this is how you configure a GRE type VPN using IPSO. Can anyone tell me there are any performace and security benefits in using a GRE VPN tunnel instead using Check Point VPN? Let say you have 16 remote site and they connecting to a central site. Also can you create a GRE VPN tunnel and just use the Check Point FW-1 to protect the Nokia from external attacks I spoke to a Nokia tech and he mentioned if you use IPSO based GRE VPN you should not install Check Point FW-1 on the same box. Is this true? Thanks -----Original Message----- From: Cardona, Alberto [mailto:[email protected]] Sent: Friday, July 27, 2001 9:02 AM To: 'Shashi Shekhar'; '[email protected]'; '[email protected]' Subject: RE: [FW1] VPN tunnel using Nokia's IPSO? What is that Tunnel link for under the Interfaces link? I clicked on it and It had some VPN parameters setting's. I know Nokia makes dedicated VPN appliances without Check Point. -----Original Message----- From: Shashi Shekhar [mailto:[email protected]] Sent: Thursday, July 26, 2001 8:59 PM To: [email protected] Subject: RE: [FW1] VPN tunnel using Nokia's IPSO? IPSO is just an OS, you use Check Point software to do VPN tunneling.. -----Original Message----- From: [email protected] [mailto:[email protected]]On Behalf Of Cardona, Alberto Sent: Thursday, July 26, 2001 12:05 PM To: '[email protected]'; [email protected] Subject: [FW1] VPN tunnel using Nokia's IPSO? On IPSO 3.3 does anyone know what the Tunnel url under the Interfaces url in Voyager is used for? Is this used for creating a VPN tunnel using IPSO operating system instead of Check Point? If so, what are the performance's compared to using FW-1 VPN setup Thanks AC -----Original Message----- From: Reed Mohn, Anders [mailto:[email protected]] Sent: Thursday, July 26, 2001 4:15 AM To: 'Don Leeper'; '[email protected]' Subject: RE: [FW1] spoofing In the anti-spoofing settings, you specify, for each FW-interface which addresses are allowed as sources and destinations on that specific interface. For instance, it would not be correct for a packet to have a source address from the 192.168.2.0 network if it comes from your internal network. Likewise, packets shouldn't enter your internal network from the outside, with source addresses from your internal network. So, putting together the anti-spoofing we get: 1. Using just the network addresses for each network (no NAT) DMZ: "This Net" Internal: "This Net" External: "Others" 2. Adding NAT, you must also allow the NAT addresses Create a group for each (non-external) interface, containing the valid addresses. Then use "Specific" to specify this group in the anti-spoofing settings. The groups must contain: DMZ: DMZ-network + public/NAT-addresses for the web and DNS servers. Internal: Internal network + public/NAT-addresses for the web-server. External: No group needed, still set to "Others". Cheers, Anders :) -----Original Message----- From: Don Leeper [mailto:[email protected]] Sent: 25. juli 2001 19:59 To: '[email protected]' Subject: [FW1] spoofing I was wondering if someone could give me your input on anti-spoofing. I have 3 interfaces on my FW: DMZ 192.168.2.1 External 63.64.1.1 Internal 192.168.1.1 I have a DNS server and web server sitting on the DMZ. Which needs to be open to the public. I have my email server and one web server on the Internal. They need to be accessible to the public as well. All addresses that are for the public are nated. Could someone tell me how you would set up the anti-spoofing on the FW that won't affect my setup but protect me? I noticed in my logs that someone was trying to get in using private addresses. Thanks for your help in advance. (I did look it up but I think its better to hear how others do it!) Kind of confusing.... Donnie Leeper ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|