Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Hub and Spoke VPN

To: [email protected]
Subject: Re: [FW-1] Hub and Spoke VPN
From: "MALIN, ALEX (PB)" <[email protected]>
Date: Sun, 3 Feb 2002 19:39:22 -0800
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

You did get the "answer" that HUB & SPOKE can be done with a router inside
the firewall at the HUB site (see below). Assuming that this architecture
works, here's what I'd try:

Firewall at each SPOKE site:

Rule 1 src: local_VPN_Domain (local network)
         dst: HUB_VPN_Domain (A private network address that includes ALL
SPOKE networks / NAT to IP of router at HUB site.

---This might work to get packet encrypted at SPOKE firewall, router to HUB
firewall, decrypted at HUB firewall & routed to HUB router. HUB router could
have a route to HUB internal networks, and a default route back to the
firewall to route all other traffic..

Firewall at HUB site:

Rule 1 src: All_HUB_VPN_Domains
         dst: All_HUB_VPN_Domains

All_HUB_Domains = group with network objects of ALL HUB and SPOKE networks

---This might work to get packet sent from HUB router to HUB firewall,
encrypted ant HUB firewall, routed to correct SPOKE firewall, decrypted at
SPOKE firewall.

Alex



-----Original Message-----
From: JP [mailto:[email protected]]
Sent: Wednesday, January 30, 2002 9:55 PM
To: [email protected]
Subject: Re: [FW-1] Hub and Spoke VPN


The rules will be different and there are multiple central management
consoles. Any thoughts on accomplishing my origional objective.

-Jeff


-----Original Message-----
From: Peter Papadopoulos [mailto:[email protected]]
Sent: Thursday, January 31, 2002 10:58 AM
To: [email protected]
Subject: Re: [FW-1] Hub and Spoke VPN


Hub and spoke is the way to go, with a router at the hub to direct traffic
to all the spokes.
traversing the fw twice to go from spoke to spoke could be considered bad,
but life is easy for admin.

I am currently managing a 6 spoke wheel like this.

Pete

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- Re: [FW-1] Hub and Spoke VPN
  - From: Anthony Mendoza <[email protected]>

Prev by Date: [FW-1] Nokia 650s and Checkpoint 4.1 SP5
Next by Date: Re: [FW-1] Can't get in Solaris GUI
Previous by thread: Re: [FW-1] Hub and Spoke VPN
Next by thread: Re: [FW-1] Hub and Spoke VPN
Index(es):
- Date
- Thread