[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Hub and Spoke VPN
You did get the "answer" that HUB & SPOKE can be done with a router inside the firewall at the HUB site (see below). Assuming that this architecture works, here's what I'd try: Firewall at each SPOKE site: Rule 1 src: local_VPN_Domain (local network) dst: HUB_VPN_Domain (A private network address that includes ALL SPOKE networks / NAT to IP of router at HUB site. ---This might work to get packet encrypted at SPOKE firewall, router to HUB firewall, decrypted at HUB firewall & routed to HUB router. HUB router could have a route to HUB internal networks, and a default route back to the firewall to route all other traffic.. Firewall at HUB site: Rule 1 src: All_HUB_VPN_Domains dst: All_HUB_VPN_Domains All_HUB_Domains = group with network objects of ALL HUB and SPOKE networks ---This might work to get packet sent from HUB router to HUB firewall, encrypted ant HUB firewall, routed to correct SPOKE firewall, decrypted at SPOKE firewall. Alex -----Original Message----- From: JP [mailto:[email protected]] Sent: Wednesday, January 30, 2002 9:55 PM To: [email protected] Subject: Re: [FW-1] Hub and Spoke VPN The rules will be different and there are multiple central management consoles. Any thoughts on accomplishing my origional objective. -Jeff -----Original Message----- From: Peter Papadopoulos [mailto:[email protected]] Sent: Thursday, January 31, 2002 10:58 AM To: [email protected] Subject: Re: [FW-1] Hub and Spoke VPN Hub and spoke is the way to go, with a router at the hub to direct traffic to all the spokes. traversing the fw twice to go from spoke to spoke could be considered bad, but life is easy for admin. I am currently managing a 6 spoke wheel like this. Pete ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|