Firewall Wizards mailing list archives
Re: IPsec and NAT [was: Placement of a VPN Appliance]
From: "Ray Hooker" <Ray.Hooker () attglobal net>
Date: Mon, 8 Jan 2001 12:32:28 -0500
Whether you use two devices or one would be based your installation requirements. In many cases, you have a firewall which performs the NAT and a separate VPN device. This fits the scenario of a central office with a VPN concentrator supporting a large number of users. In the case of a small office or remote office, all functions may be provided by one device. As for NAT where two partners have overlapping private IP addresses, that seems like a recipe for failure. I would think that devices used for B2B scenarios should use public addresses only to prevent conflicts. As for whether or not the UDP wrapper is a lot of extra work, I would not think so. UDP header generation should be pretty static and require simply the sender set up the memory space with the UPD header and appending the packet data to it. The only real impact would be minor for generating the UDP packet format once and then a few extra cycles to transmit the extra bits. On the receiving end, it would be one extra string operation. Seems minor compared to the CPU intensive mathematical calculations required for IPSec and encryption. One final comment. I know that the Cisco product line implements the mode config feature to allow one side (normally the central spoke, firewall or VPN concentrator) to assign IP addresses to the remote client. This would not be appropriate for some B2B scenarios but works well with remote access VPN's. Ray Hooker ----- Original Message ----- From: "Valerie Anne Bubb" <bubbva () incog com> To: <firewall-wizards () nfr com>; <ben.nagy () marconi com au> Sent: Friday, January 05, 2001 8:48 PM Subject: [fw-wiz] IPsec and NAT [was: Placement of a VPN Appliance] .................
That seems like a lot of extra work, and also requires another machine compatible with your way of wrapping it in a UDP packet at the other end (instead of any IPsec VPN product to any other brand's IPsec VPN product). This would seem to make NAT useless in scenarios where you and your partner have overlapping IP addresses on your internal networks (or, as is often seen when one company absorbs another), or am I missing something?
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- IPsec and NAT [was: Placement of a VPN Appliance] Valerie Anne Bubb (Jan 08)
- Re: IPsec and NAT [was: Placement of a VPN Appliance] Ray Hooker (Jan 08)