10-02-2020 12:24 PM - edited 10-02-2020 12:27 PM
Hi, directly to the question
The topology is standard, extended star topology in switching level.
Routers and firewalls are little complicated for redundancy and high availability.
For me the interesting part is the configuration of VPN in Check Point Firewalls
Forget about that the firewall is not Cisco, my question is fundamental.
When we define the network subnet for VPN, for external users, it is necessary to define for example vlan 200 in the firewall and vlan 200 in core switches?
Тhis is complete nonsense to me after thinking about it, I am strong in switching but Firewalls are new for me and I need your help to clarify details and concepts
I think in Firewall we define only L3 IP address of our VPN subnet, for example if our subnet is 10.10.10.0/24 for VPN external clients, we define in Firewall 10.10.10.1/24
And so, we define the routing between internal subnets and our VPN subnet and so.
In the Firewall we do not define vlan
In the Firewall we just define DHCP relay or helper and static IP of the VPN subnet
The IP is 10.10.10.1/24 for VPN subnet, the DHCP server is with IP 10.10.20.99/24.
The DHCP server contains the DHCP scope for subnet 10.10.10.0/24 with range 10.10.10.100-10.10.10.254 and GW 10.10.10.1/24.
Our DHCP Server is with IP of different subnet form our internal network, but the routing between our VPN network and all internal networks is provided in layer 3 between routers, firewalls and core switches with L2/L3 roles, inter vlan routing and static routes or dynamic :).
In the switches we do not define vlan ?
This is my big question
In the switches we do not define vlan ?
And in Firewall for our VPN subnet?
Now I see the working topology
And when I try to check vlan 200 for VPN I didn't see mac addresses
But the clients are connected to the VPN server of the Firewall and they receive their IP address from DHCP Server and everything is okay.
Solved! Go to Solution.
10-02-2020 01:14 PM - edited 10-02-2020 01:27 PM
No you don't need to define the VLANs on the firewall, you just need to route the traffic to the firewall. Then, when using a Policy Based VPN, you need to define the interesting traffic (host or subnet) which should be encrypted in an ACL, this needs to be mirrored on the peer. Alternatively if you use a route based VPN then you need either a static router or use a dynamic routing protocol.
HTH
10-02-2020 02:01 PM
FW don't understand any VLAN, it required what is the source IP address talking destination, other required the same option so they can enable communication.
How you route the traffic to end device- internal static router or IGP from Firewall to your end device your own model.
10-02-2020 01:14 PM - edited 10-02-2020 01:27 PM
No you don't need to define the VLANs on the firewall, you just need to route the traffic to the firewall. Then, when using a Policy Based VPN, you need to define the interesting traffic (host or subnet) which should be encrypted in an ACL, this needs to be mirrored on the peer. Alternatively if you use a route based VPN then you need either a static router or use a dynamic routing protocol.
HTH
10-02-2020 02:01 PM
FW don't understand any VLAN, it required what is the source IP address talking destination, other required the same option so they can enable communication.
How you route the traffic to end device- internal static router or IGP from Firewall to your end device your own model.
10-02-2020 04:31 PM
Hi Rob Ingram,
Hi Balaji Bandi,
Thank you for your attention and answers, I appreciate it.
I don't know too much about how Check Point work.
I don't have access to Firewalls to check how is exactly the communication work.
I just know two vlans dedicated specially for Firewalls but only in core switching level, and I think they are related with L3 interfaces in firewalls to provide gateways for special servers with security purposes and nothing more.
And for me it is not really necessary in this situation to create VLAN for VPN client
I think routing here provides communication between all networks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide