Solved

1 LAN, 2 WAN, 2 firewalls, # vpn tunnels

Posted on 2006-06-26
5
859 Views
Last Modified: 2013-11-16
We have a Checkpoint Firewall1 connected a DSL connection via a Cisco router.
We are in the process of installing a fiber connection and a new Checkpoint firewall.

We have about 20 VPN tunnels to different customers, and I would like to be able to move them, one at a time from the old firewall and DSL connection to the new firewall and fiber connection.

Is it possible to have 2 WAN and 2 Firewalls connected to the same LAN nad still control mulitple VPN connections on each firewall??



       
0
Comment
Question by:sotea
5 Comments
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 166 total points
ID: 16982770
yes as long as these 2 WANs have unique IPs
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 166 total points
ID: 16983381
You may have an issue with routing on the LAN side. With 2 gateways now which one is the default for the LAN? How are you going to control routing data when you move a network from FW1 to FW2?
It will be a challenge if the Checkpoint won't redirect packets like a PIX firewall won't. You may need an internal router that will be the LAN gateway where you can control individual route statements as you need to.
0
 
LVL 5

Accepted Solution

by:
dbardbar earned 168 total points
ID: 16987650
As lrmoore have said, routing would be an issue on the inside.

But, I'd like to add you also have an issue on the outside. If you do not have any control on the external GWs (in the customers), and you do not wish to change the configuration on thier side, then you will need some smart routing also on the outside. And, even if the routing issue is OK, your GWs are still gonna look very different to the external machine, IP wise, and authentication wise (if using certificates).

If the external GWs are Check Point, you could try to use the version MEP methods, but honestly it would be a headache, and would require quite a bit of configuration on the external GWs, if they are not managed by the same management as yours.

Assuming the external GWs are not managed by the same management machine as your internal Firewalls, and assuming you can talk the external companies into performing changes on thier side, then the simplest and safest thing I would suggest, is putting the same the new GW, giving it a different external IP, and manage it from the same management, defining for it the same encryption domain as the first one.
Then, contact some of the external customers, and tell them to create a new GW object (while keeping the old one), and giving it the correct Enc.Dom., while nulling the Enc.Dom of the old GW. This will allow you a very quick fall-back if the VPN tunnel with the new GW doesn't work.

As to the internal routing, you might consider RIM - Routing Injection Mechanism. It basicly means that the GW which has a VPN tunnel with an external GW will advertivse to you internal routers that the remote encryption domain is now available via it. It is not easy to set-up, but once it is up and running, it would allow you quick fall-back.

To sum it up - I'll repeat what lrmoore said. This would indeed be a chalange. I realy doubt it is worth it. Personaly, I would just try make the new machine as identical to the first as possible (IPs, hostname, OS, versiosn, ...),  copy the configuration from the old machine, perform some in-house tests, and then just swap the old and the new. If VPN will work with one external peer, very high chances it will work with all 20. If you see it doesn't work, you could quite quickly swap the machines again, and try to understand what went wrong.
0
 
LVL 5

Expert Comment

by:dbardbar
ID: 16987658
"the version MEP methods" -> "the various MEP methods"
0
 
LVL 1

Author Comment

by:sotea
ID: 16999221
Hi all...

Thanks for sharing your thoughts!
0

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question