Solved

1 LAN, 2 WAN, 2 firewalls, # vpn tunnels

Posted on 2006-06-26
5
849 Views
Last Modified: 2013-11-16
We have a Checkpoint Firewall1 connected a DSL connection via a Cisco router.
We are in the process of installing a fiber connection and a new Checkpoint firewall.

We have about 20 VPN tunnels to different customers, and I would like to be able to move them, one at a time from the old firewall and DSL connection to the new firewall and fiber connection.

Is it possible to have 2 WAN and 2 Firewalls connected to the same LAN nad still control mulitple VPN connections on each firewall??



       
0
Comment
Question by:sotea
5 Comments
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 166 total points
Comment Utility
yes as long as these 2 WANs have unique IPs
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 166 total points
Comment Utility
You may have an issue with routing on the LAN side. With 2 gateways now which one is the default for the LAN? How are you going to control routing data when you move a network from FW1 to FW2?
It will be a challenge if the Checkpoint won't redirect packets like a PIX firewall won't. You may need an internal router that will be the LAN gateway where you can control individual route statements as you need to.
0
 
LVL 5

Accepted Solution

by:
dbardbar earned 168 total points
Comment Utility
As lrmoore have said, routing would be an issue on the inside.

But, I'd like to add you also have an issue on the outside. If you do not have any control on the external GWs (in the customers), and you do not wish to change the configuration on thier side, then you will need some smart routing also on the outside. And, even if the routing issue is OK, your GWs are still gonna look very different to the external machine, IP wise, and authentication wise (if using certificates).

If the external GWs are Check Point, you could try to use the version MEP methods, but honestly it would be a headache, and would require quite a bit of configuration on the external GWs, if they are not managed by the same management as yours.

Assuming the external GWs are not managed by the same management machine as your internal Firewalls, and assuming you can talk the external companies into performing changes on thier side, then the simplest and safest thing I would suggest, is putting the same the new GW, giving it a different external IP, and manage it from the same management, defining for it the same encryption domain as the first one.
Then, contact some of the external customers, and tell them to create a new GW object (while keeping the old one), and giving it the correct Enc.Dom., while nulling the Enc.Dom of the old GW. This will allow you a very quick fall-back if the VPN tunnel with the new GW doesn't work.

As to the internal routing, you might consider RIM - Routing Injection Mechanism. It basicly means that the GW which has a VPN tunnel with an external GW will advertivse to you internal routers that the remote encryption domain is now available via it. It is not easy to set-up, but once it is up and running, it would allow you quick fall-back.

To sum it up - I'll repeat what lrmoore said. This would indeed be a chalange. I realy doubt it is worth it. Personaly, I would just try make the new machine as identical to the first as possible (IPs, hostname, OS, versiosn, ...),  copy the configuration from the old machine, perform some in-house tests, and then just swap the old and the new. If VPN will work with one external peer, very high chances it will work with all 20. If you see it doesn't work, you could quite quickly swap the machines again, and try to understand what went wrong.
0
 
LVL 5

Expert Comment

by:dbardbar
Comment Utility
"the version MEP methods" -> "the various MEP methods"
0
 
LVL 1

Author Comment

by:sotea
Comment Utility
Hi all...

Thanks for sharing your thoughts!
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now