?
Solved

1 LAN, 2 WAN, 2 firewalls, # vpn tunnels

Posted on 2006-06-26
5
Medium Priority
?
867 Views
Last Modified: 2013-11-16
We have a Checkpoint Firewall1 connected a DSL connection via a Cisco router.
We are in the process of installing a fiber connection and a new Checkpoint firewall.

We have about 20 VPN tunnels to different customers, and I would like to be able to move them, one at a time from the old firewall and DSL connection to the new firewall and fiber connection.

Is it possible to have 2 WAN and 2 Firewalls connected to the same LAN nad still control mulitple VPN connections on each firewall??



       
0
Comment
Question by:sotea
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 498 total points
ID: 16982770
yes as long as these 2 WANs have unique IPs
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 498 total points
ID: 16983381
You may have an issue with routing on the LAN side. With 2 gateways now which one is the default for the LAN? How are you going to control routing data when you move a network from FW1 to FW2?
It will be a challenge if the Checkpoint won't redirect packets like a PIX firewall won't. You may need an internal router that will be the LAN gateway where you can control individual route statements as you need to.
0
 
LVL 5

Accepted Solution

by:
dbardbar earned 504 total points
ID: 16987650
As lrmoore have said, routing would be an issue on the inside.

But, I'd like to add you also have an issue on the outside. If you do not have any control on the external GWs (in the customers), and you do not wish to change the configuration on thier side, then you will need some smart routing also on the outside. And, even if the routing issue is OK, your GWs are still gonna look very different to the external machine, IP wise, and authentication wise (if using certificates).

If the external GWs are Check Point, you could try to use the version MEP methods, but honestly it would be a headache, and would require quite a bit of configuration on the external GWs, if they are not managed by the same management as yours.

Assuming the external GWs are not managed by the same management machine as your internal Firewalls, and assuming you can talk the external companies into performing changes on thier side, then the simplest and safest thing I would suggest, is putting the same the new GW, giving it a different external IP, and manage it from the same management, defining for it the same encryption domain as the first one.
Then, contact some of the external customers, and tell them to create a new GW object (while keeping the old one), and giving it the correct Enc.Dom., while nulling the Enc.Dom of the old GW. This will allow you a very quick fall-back if the VPN tunnel with the new GW doesn't work.

As to the internal routing, you might consider RIM - Routing Injection Mechanism. It basicly means that the GW which has a VPN tunnel with an external GW will advertivse to you internal routers that the remote encryption domain is now available via it. It is not easy to set-up, but once it is up and running, it would allow you quick fall-back.

To sum it up - I'll repeat what lrmoore said. This would indeed be a chalange. I realy doubt it is worth it. Personaly, I would just try make the new machine as identical to the first as possible (IPs, hostname, OS, versiosn, ...),  copy the configuration from the old machine, perform some in-house tests, and then just swap the old and the new. If VPN will work with one external peer, very high chances it will work with all 20. If you see it doesn't work, you could quite quickly swap the machines again, and try to understand what went wrong.
0
 
LVL 5

Expert Comment

by:dbardbar
ID: 16987658
"the version MEP methods" -> "the various MEP methods"
0
 
LVL 1

Author Comment

by:sotea
ID: 16999221
Hi all...

Thanks for sharing your thoughts!
0

Featured Post

WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question