Scribd Logo
Cargar

¡Te damos la bienvenida a Scribd!

  • Site To Site VPN Edge Managed by R60 Smart Center

    Cargado por

    pinkering
    34 vistas16 páginas
    VPN must be enabled and the policy package must be in Simplified VPN mode. If the SmartCenter Server and the NGX R60 gateway are installed on separate machines, it is recommended that you statically NAT the management server.

    Descripción original:

    Título original

    Site to Site VPN Edge Managed by R60 Smart Center

    Derechos de autor

    © Attribution Non-Commercial (BY-NC)

    Formatos disponibles

    PDF, TXT o lea en línea desde Scribd

    ¿Le pareció útil este documento?

    ¿Este contenido es inapropiado?

    Denunciar este documento
    VPN must be enabled and the policy package must be in Simplified VPN mode. If the SmartCenter Server and the NGX R60 gateway are installed on separate machines, it is recommended that you statically NAT the management server.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Descargue como PDF, TXT o lea en línea desde Scribd
    Marcar por contenido inapropiado
    34 vistas16 páginas

    Site To Site VPN Edge Managed by R60 Smart Center

    Cargado por

    pinkering
    VPN must be enabled and the policy package must be in Simplified VPN mode. If the SmartCenter Server and the NGX R60 gateway are installed on separate machines, it is recommended that you statically NAT the management server.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Descargue como PDF, TXT o lea en línea desde Scribd
    Marcar por contenido inapropiado
    de 16

    Configuration of Site to Site VPN

    with VPN-1 Edge


    May 8, 2006

    In This Document

    Introduction page 1
    Static NAT the SmartCenter / Management Server page 2
    Add a VPN-1 Edge Object page 3
    Create the VPN Community page 5
    Basic FireWall-1 Rules page 13
    Connecting to the SmartCenter/Management Server from VPN-1 Edge page 13

    Introduction
    To install NGX R60 VPN-1 Pro and SmartCenter, the SmartCenter Server must be
    licensed to manage more than one firewall module. If the SmartCenter Server and the
    NGX R60 gateway are installed on separate machines, it is recommended that you
    statically NAT the management server.
    In order for this configuration to work properly the following are required, VPN must be
    enabled and the policy package must be in Simplified VPN mode:
    • VPN-1/FireWall-1 NGX
    • VPN-1 Edge 5.0.x firmware or newer

    1
    Static NAT the SmartCenter / Management
    Server
    1. Open SmartDashboard.
    2. Go to Network Objects > Check Point > Management Server object.
    3. Select the NAT tab and check Add Automatic Address Translation rules.
    The following window appears:

    4. From the Translation method drop-down list select Static.


    5. In the Translation to IP address field enter the public routable IP address of the
    Management server. This address must be on the same subnet as the external
    interface of the firewall module.
    6. From the Install of Gateway drop-down list select the gateway that this management
    server is behind.
    7. Select Apply for VPN-1 & FireWall-1 control connections. As a result of selecting this
    option VPN-1 Edge will connect to the management server via an implied rule.

    Note - In a clustered environment, do not select Apply for PVN-1 & FireWall-1 control
    connections. Instead, create an explicit rule in the Rule Base for this connection.

    Configuration of Site to Site VPN with VPN-1 Edge - Last Update — May 8, 2006 2
    Add a VPN-1 Edge Object
    1. Open SmartDashboard.
    2. Create a VPN-1 Edge Embedded Object.
    Go to Network Objects > Check Point > New Check Point > VPN-1 Edge/Embedded
    Gateway.
    The following window appears:

    3. Configure the VPN-1 Edge gateway object:


    • Enter a name in the Name text box.
    • Select a hardware type from the Type drop-down list
    • Enter a registration key in the Registration Key text box.
    4. Select VPN-1 Enabled and Connects as Site To Site Gateway.

    Configuration of Site to Site VPN with VPN-1 Edge - Last Update — May 8, 2006 3
    5. Select the Topology tab.
    The following window appears:

    6. Define the internal network behind the Edge (DMZ) and configure the VPN Domain
    (WAN).
    7. Select Manually defined and select a network from the list provided. If you have not
    previously defined a network, Click New and define the Network

    Configuration of Site to Site VPN with VPN-1 Edge - Last Update — May 8, 2006 4
    Create the VPN Community
    1. In SmartDashboard select the VPN Manager tab.
    2. Right click inside the screen and select New Community > Star....
    The following window appears:

    3. In the General tab enter a name for your Community and select Accept all encrypted
    traffic.
    4. Select the Centers Gateway tab.

    Configuration of Site to Site VPN with VPN-1 Edge - Last Update — May 8, 2006 5
    The following window appears:

    5. Click Add to add the NG or NGX gateway.


    6. Select the Satellite Gateways tab.

    Configuration of Site to Site VPN with VPN-1 Edge - Last Update — May 8, 2006 6
    The following window appears:

    7. Click Add to add the VPN-1 Edge embedded device.


    8. Select the VPN Properties tab.

    Configuration of Site to Site VPN with VPN-1 Edge - Last Update — May 8, 2006 7
    The following window appears:

    9. Configure the Phase 1 and Phase 2 key negotiation properties.


    10. Select the Tunnel Management tab.

    Configuration of Site to Site VPN with VPN-1 Edge - Last Update — May 8, 2006 8
    The following window appears:

    11. Under VPN Tunnel Sharing select One VPN tunnel per subnet pair.
    12. Select Advance Settings > VPN Routing.

    Configuration of Site to Site VPN with VPN-1 Edge - Last Update — May 8, 2006 9
    The following window appears:

    13. Select To center and other satellites through center.


    14. Select Advance Settings > Advanced VPN Properties.

    Configuration of Site to Site VPN with VPN-1 Edge - Last Update — May 8, 2006 10
    The following window appears:

    15. Select Disable NAT inside the VPN community. Leave the default settings on all other
    properties. These properties are not enabled by default on the VPN-1 Edge device.
    16. Select the Shared Secret tab. When managed, the VPN-1 Edge device will negotiate
    via the ICA certificate.

    Configuration of Site to Site VPN with VPN-1 Edge - Last Update — May 8, 2006 11
    The following window appears:

    17. Make sure that Use only Shared Secret for all External members is not selected.
    18. Click OK.

    Configuration of Site to Site VPN with VPN-1 Edge - Last Update — May 8, 2006 12
    Basic FireWall-1 Rules
    1. In SmartDashboard create a rule (if necessary) that enables SWTP_SMS or SWTP
    GATEWAY to the Management server. If the control connections are enabled, an
    implied rule allowing this connection already exists.
    2. There should be an implied rule in the Rule Base for the VPN-1 community (top).
    An explicit rule can be created by editing the VPN-1 community and deselecting
    the option Accept all encrypted traffic.
    3. Create a rule where the Edge internal network destination is Any. Change the Install
    On field to the Edge Object and the R60 gateway.
    4. Save and install the Security Policy to the hub firewall and the profile.

    Connecting to the SmartCenter/Management


    Server from VPN-1 Edge
    1. Log into the VPN-1 Edge device from the LAN at http://my.firewall or WAN at
    https://external_ip:981.
    The following window appears:

    Configuration of Site to Site VPN with VPN-1 Edge - Last Update — May 8, 2006 13
    2. Select the Services Tab and click on Connect.
    The following window appears:

    3. Enter the Static NAT IP address of the NGX R60 Management server in the
    Specified IP text box and click Next.
    The following window appears:

    Configuration of Site to Site VPN with VPN-1 Edge - Last Update — May 8, 2006 14
    4. Enter the Gateway ID and Registration Key and click Next. The gateway ID is the
    name of the VPN-1 Edge/Embedded device as it appears in SmartDashboard. The
    registration key is the password entered for the VPN-1 Edge/Embedded object.
    After the connection is complete, the confirmation screen will appear.
    5. Click Next to complete the process.
    6. To confirm that Edge is connected to the Management server, verify that in the
    bottom left hand corner of the screen the word Connected appears in the Service
    Center.

    7. To confirm that a policy has been installed select Setup > Tools > Diagnostics. The
    Policy section should show the name of the VPN-1 Edge profile as it appears in
    SmartDashboard.

    Configuration of Site to Site VPN with VPN-1 Edge - Last Update — May 8, 2006 15
    8. To confirm that VPN is established, initiate traffic from a host behind the Edge to a
    host behind the NG or NGX gateway. Go to Reports > VPN Tunnels and verify that the
    tunnel was established in the following window.

    Configuration of Site to Site VPN with VPN-1 Edge - Last Update — May 8, 2006 16

    También podría gustarte