Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IPsec and NAT [was: Placement of a VPN Appliance]

From: "Ray Hooker" <Ray.Hooker () attglobal net>
Date: Mon, 8 Jan 2001 12:32:28 -0500
Whether you use two devices or one would be based your installation
requirements.  In many cases, you have a firewall which performs the NAT and
a separate VPN device.  This fits the scenario of a central office with a
VPN concentrator supporting a large number of users.  In the case of a small
office or remote office, all functions may be provided by one device.

As for NAT where two partners have overlapping private IP addresses, that
seems like a recipe for failure.  I would think that devices used for B2B
scenarios should use public addresses only to prevent conflicts.

As for whether or not the UDP wrapper is a lot of extra work, I would not
think so.  UDP header generation should be pretty static and require simply
the sender set up the memory space with the UPD header and appending the
packet data to it.  The only real impact would be minor for generating the
UDP packet format once and then a few extra cycles to transmit the extra
bits.  On the receiving end, it would be one extra string operation.  Seems
minor compared to the CPU intensive mathematical calculations required for
IPSec and encryption.

One final comment.  I know that the Cisco product line implements the mode
config feature to allow one side (normally the central spoke, firewall or
VPN concentrator) to assign IP addresses to the remote client.  This would
not be appropriate for some B2B scenarios but works well with remote access
VPN's.

Ray Hooker
----- Original Message -----
From: "Valerie Anne Bubb" <bubbva () incog com>
To: <firewall-wizards () nfr com>; <ben.nagy () marconi com au>
Sent: Friday, January 05, 2001 8:48 PM
Subject: [fw-wiz] IPsec and NAT [was: Placement of a VPN Appliance]
.................


That seems like a lot of extra work, and also requires another
machine compatible with your way of wrapping it in a UDP packet
at the other end (instead of any IPsec VPN product to any other
brand's IPsec VPN product).

This would seem to make NAT useless in scenarios  where
you and your partner have overlapping IP addresses on
your internal networks (or, as is often seen when one company
absorbs another), or am I missing something?





_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: