FireWall-1 FAQ: FireWall-1 with Internet via (R)RAS Connection
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
WARNING: Check Point does not recommend or support this configuration. Neither do I, for that matter. Proceed at your own risk.
It does work, assuming the following is true:
- If NT 4.0 SP3 or higher is installed, build 3045 or higher of FireWall-1 must be installed
If SP1 is installed, FireWall-1 2.1c or higher should work fine.
Type is DWORD, value is 0
If one of your subnets is on the same logical IP subnet as your service provider, you need to set the following registry entry:
Type is DWORD, value is 1
Other than these issues, everything that you would normally have to do to set up an NT system to run FireWall-1 needs to be done. This includes (but is not limited to) turning on "IP Routing" in the TCP/IP Properties, configuring the interfaces, and configuring the routing.
Known issues with this configuration:
- Any IPSEC-based encryption will probably not work (basically, anything but FWZ). FWZ seems to work okay, however.
- Licensing: Either license your firewall to the internal IP address or do not start FireWall-1 up until after RAS connects you to the Internet as FireWall-1 will complain about the license being invalid and not start correctly.