Solved

1 LAN, 2 WAN, 2 firewalls, # vpn tunnels

Posted on 2006-06-26
5
863 Views
Last Modified: 2013-11-16
We have a Checkpoint Firewall1 connected a DSL connection via a Cisco router.
We are in the process of installing a fiber connection and a new Checkpoint firewall.

We have about 20 VPN tunnels to different customers, and I would like to be able to move them, one at a time from the old firewall and DSL connection to the new firewall and fiber connection.

Is it possible to have 2 WAN and 2 Firewalls connected to the same LAN nad still control mulitple VPN connections on each firewall??



       
0
Comment
Question by:sotea
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 166 total points
ID: 16982770
yes as long as these 2 WANs have unique IPs
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 166 total points
ID: 16983381
You may have an issue with routing on the LAN side. With 2 gateways now which one is the default for the LAN? How are you going to control routing data when you move a network from FW1 to FW2?
It will be a challenge if the Checkpoint won't redirect packets like a PIX firewall won't. You may need an internal router that will be the LAN gateway where you can control individual route statements as you need to.
0
 
LVL 5

Accepted Solution

by:
dbardbar earned 168 total points
ID: 16987650
As lrmoore have said, routing would be an issue on the inside.

But, I'd like to add you also have an issue on the outside. If you do not have any control on the external GWs (in the customers), and you do not wish to change the configuration on thier side, then you will need some smart routing also on the outside. And, even if the routing issue is OK, your GWs are still gonna look very different to the external machine, IP wise, and authentication wise (if using certificates).

If the external GWs are Check Point, you could try to use the version MEP methods, but honestly it would be a headache, and would require quite a bit of configuration on the external GWs, if they are not managed by the same management as yours.

Assuming the external GWs are not managed by the same management machine as your internal Firewalls, and assuming you can talk the external companies into performing changes on thier side, then the simplest and safest thing I would suggest, is putting the same the new GW, giving it a different external IP, and manage it from the same management, defining for it the same encryption domain as the first one.
Then, contact some of the external customers, and tell them to create a new GW object (while keeping the old one), and giving it the correct Enc.Dom., while nulling the Enc.Dom of the old GW. This will allow you a very quick fall-back if the VPN tunnel with the new GW doesn't work.

As to the internal routing, you might consider RIM - Routing Injection Mechanism. It basicly means that the GW which has a VPN tunnel with an external GW will advertivse to you internal routers that the remote encryption domain is now available via it. It is not easy to set-up, but once it is up and running, it would allow you quick fall-back.

To sum it up - I'll repeat what lrmoore said. This would indeed be a chalange. I realy doubt it is worth it. Personaly, I would just try make the new machine as identical to the first as possible (IPs, hostname, OS, versiosn, ...),  copy the configuration from the old machine, perform some in-house tests, and then just swap the old and the new. If VPN will work with one external peer, very high chances it will work with all 20. If you see it doesn't work, you could quite quickly swap the machines again, and try to understand what went wrong.
0
 
LVL 5

Expert Comment

by:dbardbar
ID: 16987658
"the version MEP methods" -> "the various MEP methods"
0
 
LVL 1

Author Comment

by:sotea
ID: 16999221
Hi all...

Thanks for sharing your thoughts!
0

Featured Post

Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question