Can i go in and out the same interface? on R55?

[lowfell]

I'm using R55 as my Lan gateway. lets say this has an inside ip address of
192.168.1.254/24

ALL my lan hosts have the Checkpoint as their Gateway. 192.168.1.254/24

I also have a none Checkpoint device on the same network that terminates a site to site vpn, lets say
its ip address is 192.168.1.252/24


1. CAN I PUT A ROUTE ON THE CHECKPOINT TO POINT TO THE VPN DEVICE FOR TRAFFIC TO AND FROM THE REMOTE ENCRYPTION DOMAIN AND CREATE FIREWALL RULES FOR THIS? OR, IS THIS NOT POSSIBLE BECAUSE I'LL BE GOING IN AND OUT THE SAME INTERFACE???

[inetd]

I have never tried but I would use dhcp option 121. Pass a static-route via dhcp to the clients.

[chillyjim]

It should work but you may have to allow ICMP Redirects.

I've tried it myself and it didn't work, but I also didn't debug it because for the one machine that needed the route it was just as fast to put in the static.

please let us know what you find out.

[cciesec2006]

I tested it and it works for me, like this:

R1---FW1-----Internet----R2.

Lan-2-Lan vpn between R1 and R2. FW internal ip address
is 192.168.1.254/24. R1 has an ip address of 192.168.2.251/24.

it will work just fine. Remember, whatever the local encryption
domain you have on R1, FW-1 knows nothing about because
once the traffics leave R1, it will be encrypted anyway. FW-1
will see nothing but ike and esp traffics, or udp-4500 if you're
doing nat-traversal, with ip address of 192.168.1.252/24.
You don't need any static routes at all. You just need default
route on R1 to point to FW-1. Unless you're doing a one-arm
routing on the Cisco router, then the configuration will be a
little different. In that case, you need to have static-route
on the firewall to point remote encryption domain with
the next-hop to be the router.

HTH