Why not add another interface to the Enterprise machine and put all your
RAS on that subnet? FW-1 will handle what, 32 interfaces?
Overlapping encryption domain has to do with the definition of what
domains are trusted. You have defined the same trusted domain twice.
You probably don't need to set up two objects like that (one for each
firewall). I would assume you could set up one object and use it in the
rules on both firewalls. IOW I suspect that it isn't a dual firewall
issue but a dual object definition issue. Sorry if this is not clear.
The Certificate Authority is the trusted host that holds the keys. This
is the control module - at least by default. Your firewall and
encryption modules might not be able to act as a certificate authority -
you should ask Checkpoint for clarification on that point. My guess is
that they cannot act as Certificate authorities. Under your Enterprise
license, however, you should be able to have multiple control modules
which I think CAN be Certificate Authorities.
I haven't gone to FW-1 training yet so take these comments with a block
>From: Rick Hardy [SMTP:rick @
>Sent: Monday, February 02, 1998 18:39
>To: firewalls @
>Subject: Encryption Domains....
>I have a question concerning the way encryption domains work and what
>modules are required to do an encryption domain.
>First, I have a situation where two firewalls (1st is Enterprise version,
>with DES running under Solaris 2.51 FW-1 ver 30b, 2nd is Firewall Module
>with DES) are being used as gateways to the same hosts. One has access via
>RAS(Straight dialup, then authenticates to FW via SecureRemote, this works
>since the GW is the Enterprise FW) the other has access via the Internet.
>Here is my problem, I get an error saying 'Overlapping Encryption
>Domain'... To Solve this issue, can I use NAT?(I know, not a perfect
>solution but it should work!) My second issue has me perplexed!
>When I try to athenticate to the FW-1 box with ONLY the FW-1 Firewall
>Module and DES encryption, I get an error saying that it is NOT a
>Certificate Authority, and to check with my Sys Admin if the FW Gateway is
>a Control Module @
! Huh??? Does a Firewall-1 Gateway NEED to be a
>control module to authenticate via Secure Remote?? I didn't think so, and
>I've looked at all the docs.....
>Anyone have any ideas on either of these?!!?
>Thanks in advance!