Rep:RE: VPN and NAT

["Georges Dupont" <dalong () ifrance com>]

Hi Ben and Ravi,

And thanks for your answers. I will clarify a little bit where we are as
to this VPN and NAT stuff, but for the main part it looks like one of
Ben's suggestions.

> First of all, when you say "real" IP addresses, I assume that you mean
> "someone else's", which creates the problem that you might need to
reach
> internal addresses as well as the legitimate owner of those addresses.

That is true, but it has been so for quite a long time and the customer
just does not care for this problem. Lucky us.

> Terminate the VPN such that users are assigned IPs in the internal (as
in
> "real / someone else's") range. Things will then work just fine unless
they

[cut]

> Terminate the VPN users in a separate DMZ with separate addressing
which is
> logically inside and parallel to the normal inside network. Put a
firewall
> between the in and vpn nets and another between the vpn and outgoing
DMZ
> nets. The only real difference is that you can NAT the in network to
make

This second option is, somehow, the way we are going. The diagram is a
little bit more complicated, but here's the main idea :

[Internet] -- access router -- VPN DMZ (RFC 1918) -- filtering router --
[in]

The 'access router' is already performing ingress/egress filtering, we
will "only" create a new DMZ dedicated to the VPN and adapt the filters
accordingly.
When using the VPN, the users will (should ?) not be able to use any
other interface card/modem card on their system nor any other network
route. It will/should be a 'dedicated link', no-external-surfing while
VPNing into the network. They will 'know' the real, internal IP
addresses of their targets, no NAT used. Just as if they were directly
connected to their company's network.
Users should be granted IP addresses in ranges related to their
authentication, so that filters per address range may be defined, to
restrict access only to systems they need to access.

Do we have missed something, big or small, as to this architecture ?

> In either option, always make sure that VPN users are assigned into an
IP
> range which isn't shared with any other kind of device - this is
important
> for log and audit.

That will be the case, they will use several RFC 1918 class C networks
or one class B, I do not know yet.

> bonne chance...

Thanks, we will need every bit of it when getting down to work...
_____________________________________________________________________
Envie de discuter en "live" avec vos amis ? Télécharger MSN Messenger
http://www.ifrance.com/_reloc/m la 1ère messagerie instantanée de France


_____________________________________________________________________
Envie de discuter en "live" avec vos amis ? Télécharger MSN Messenger
http://www.ifrance.com/_reloc/m la 1ère messagerie instantanée de France

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards