Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Remote site encryption domain

We have a remote user which we will be setting up a site to site VPN using a locally managed 1430 appliance (at user site) and a centrally managed Check Point gateway (in datacenter).

The user needs to have traffic from corporate assets use the VPN tunnel (including traffic bound for internet) and traffic from personal devices not go through the tunnel (i.e. straight to the internet).

My plan was to have him connect his personal devices to the DMZ interface (which I have assigned a separate network) and have corporate devices use the LAN switch. I have configured the VPN site and have set the Remote Site Encryption Domain to "Route all traffic through this site." I chose this to have all the traffic from corporate assets (including traffic bound for internet) go through the tunnel. I am unsure, however, if "all traffic" includes traffic from devices connected to the DMZ interface.

Does anyone know if "all traffic" in this setting includes traffic sourced from behind DMZ interface? If yes, any suggestions as to how to accomplish what I need?

 

Thanks,

Dave

0 Kudos
3 Replies
Highlighted
Nickel

I have done this exact same configuration.  Corporate connection at house is at LAN, personal network is on DMZ.

 

Exclude the DMZ network from the VPN (sk25675,sk86582 for reference).  We did this by editing user.def.FW1 and user.def.SFWR77CMP.   We used the source range to exclude the whole DMZ network from the VPNs.  We also excluded the static external ip address of the 1400 allowing it to get updates directly.

 

Allowed NAT directly out to the internet, and it worked.

0 Kudos
Highlighted

Thanks Ted,

 

I looked through the articles and they all reference modifying the files (user.DEF, etc) on the management servers. My 1430 at the remote site will be locally managed (and configured as an Interoperable Device on management server) -- is this how yours is configured, and then did you modify the files you referenced below on the locally managed device itself?

 

Thanks,

Dave

0 Kudos
Highlighted
Nickel

No we did centrally managed so we could control it better.  I'm not sure if it is possible for a self managed box to do exclusions, or at least I have never tried it.

 

 

0 Kudos