[vpn] RE: VPN Setup

Adam Safier safiera at gss-inc.com
Mon Dec 31 13:17:58 EST 2001


You don't say if this is client VPN (user PC to gateway) or a site-site VPN.
Since it's a 3000 my guess is it's a client VPN.  I think this is a common
solution if the FW1 was replaced with a Cisco router and you turned on
policy routing (need cisco geek input here ... I'm not fully up on how that
works with Cisco gear and our gurus are too busy to ask for free-bee
advice....).  FW-1 will not do policy routing - it relies on the underlying
OS platform for routing capabilities. With FW-1 being a Check Point it does
not make a great deal of sense to do this.

Check Point has a very low cost VPN add on - the VPN license if free but you
have to pay for DES+ encryption code.  It's a minor cost in the scheme of
things.  Anyway, why not run the VPN to the Check Point and save the cost of
headach of adding the 3000?  If you need site-site VPN see if the OS on the
7200 will handle the site-site VPN. Then you can still force authentication
at the FW-1.

If you persist with this layout you will have a special issue with routing.
Either you will need an internal NAT so replies from internal hosts can get
back to the VPN box or you will need to point your default rout from thy
FW-1 to the Cisco 3000.

Adam Safier
Global Systems & Strategies, Inc (GSS)
7000 Security Blvd, Suite 300
Baltimore, Md. 21244
(443) 436-6393
(410) 281-9193


-----Original Message-----
From: itsd itsd [mailto:itsd2001 at hotmail.com]
Sent: Friday, December 28, 2001 8:50 PM
To: vpn at securityfocus.com
Subject: VPN Setup


Hi,

We would like to put the Cisco VPN 3000 Gateway like this:


           DMZ
            |
            |
Private===FW1=====Catalyst2900==Cisco_Router_7200====Internet
            |              |
            |====VPN3000===|


Questions:
=========

1) Is this good solution (security, performance, .....)
2) FW1 is CheckPoint Firewall 1 with 4 interface (all are in different
subnet):
            -One connected to private Network
            -One to Catalyst 2900
            -One to DMZ
            -One we like to connect it to VPN 3000

      What did I need to open (rule) on FW-1 to make the VPN working.

3) What access-list I need to put on Cisco 7200 ?

Private: Catalyst 5500 + RSM
VPN Gateway: Cisco VPN 3000 (Software Version 3.5)
FW-1: Checkpoint FW-1 ver. 4.1 SP2
Router: Cisco Router 7200 (version 12.X)
VPN Client: Software Client / Hardware client 3002 (Software Version 3.5)

Thanks


_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com



VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list