Firewall Wizards mailing list archives

RE: IP in IP and FW1

From: "Safier, Adam (GEIS)" <Adam.Safier () geis ge com>
Date: Wed, 24 Sep 1997 18:55:38 -0400

Collin's answers are preferred with 2 being my favorite.

But, if you cannot do that you might try overloading the r2-fw1
interface with a second IP address, say a class 1918 address.  You then
set that as the internet default or proxy server or gateway for Net1
users.  They go to the firewall which decrypts and then uses it's own
routing table to forward to the allowed destination which is back out
the same physical interface to R2.  

This is a guess - haven't been there, haven't done that with
SecureRemote - but overloading works and your firewall rules can be set
by IP address of the interface.  However, some rules may conflict and
you may need to relax your policy - which could be risky.  Really should
change to Colin's option 2.

-----Original Message-----
From: Colin Campbell [SMTP:sgcccdc () citec qld gov au]
Sent: Wednesday, September 24, 1997 4:00 AM
To:   firewall-wizards () nfr net
Subject:      Re: IP in IP and FW1

Hi

How about one of two solutions:

1) replace R1 with Cisco running 11.2 IOS and do NAT on the router.
2) restructure the LAN to be:

                             Internet
                                ^
                                |
                              R2
                                |
      NET1 ------ R1 ---------- FW1-------------- NET2

Colin

My mailer thinks Neale Banks said:


Hi,

I have been asked to advise on a problem with a RFC1918 subnet that

needs

to communicate with the Internet via FW-1 and NAT. 

A picture is worth a thousand words, so:

                            Internet
                               ^
                               |
     NET1 ------ R1 ---------- R2 ---- FW1------ NET2

The main complication here is that both NET1 and NET2 are using

RFC1918

addresses, and R2 also has the default route to the internet.

Ideally

Internet traffic from FW1 SecuRemote clients on NET1 would be

directed to

the FW1 and NATed to assigned address space before venturing to the
internet.

Adam

---------------
Adam Safier,  Network Engineer/Security Consultant
GE Information Services, Inc.
401 North Washington St., Rockville, Md. 20850
Ph: 301-340-5737    Internal: 8*273-5737   Fax: 301-340-4005
Adam.Safier () geis ge com        http://www.geis.com

I'm proud to live in a country where I can express my personal opinions.
The opinions above may not be shared by my employer.
---------------

 
 

Current thread:

IP in IP and FW1 Neale Banks (Sep 23)
- Re: IP in IP and FW1 Colin Campbell (Sep 24)
- <Possible follow-ups>
- Re: IP in IP and FW1 keithcha (Sep 24)
- RE: IP in IP and FW1 Safier, Adam (GEIS) (Sep 24)