Firewall Wizards mailing list archives
Rep:RE: VPN and NAT
From: "Georges Dupont" <dalong () ifrance com>
Date: Wed, 11 Jun 2003 09:18:56 GMT
Hi Ben and Ravi, And thanks for your answers. I will clarify a little bit where we are as to this VPN and NAT stuff, but for the main part it looks like one of Ben's suggestions.
First of all, when you say "real" IP addresses, I assume that you mean "someone else's", which creates the problem that you might need to
reach
internal addresses as well as the legitimate owner of those addresses.
That is true, but it has been so for quite a long time and the customer just does not care for this problem. Lucky us.
Terminate the VPN such that users are assigned IPs in the internal (as
in
"real / someone else's") range. Things will then work just fine unless
they [cut]
Terminate the VPN users in a separate DMZ with separate addressing
which is
logically inside and parallel to the normal inside network. Put a
firewall
between the in and vpn nets and another between the vpn and outgoing
DMZ
nets. The only real difference is that you can NAT the in network to
make This second option is, somehow, the way we are going. The diagram is a little bit more complicated, but here's the main idea : [Internet] -- access router -- VPN DMZ (RFC 1918) -- filtering router -- [in] The 'access router' is already performing ingress/egress filtering, we will "only" create a new DMZ dedicated to the VPN and adapt the filters accordingly. When using the VPN, the users will (should ?) not be able to use any other interface card/modem card on their system nor any other network route. It will/should be a 'dedicated link', no-external-surfing while VPNing into the network. They will 'know' the real, internal IP addresses of their targets, no NAT used. Just as if they were directly connected to their company's network. Users should be granted IP addresses in ranges related to their authentication, so that filters per address range may be defined, to restrict access only to systems they need to access. Do we have missed something, big or small, as to this architecture ?
In either option, always make sure that VPN users are assigned into an
IP
range which isn't shared with any other kind of device - this is
important
for log and audit.
That will be the case, they will use several RFC 1918 class C networks or one class B, I do not know yet.
bonne chance...
Thanks, we will need every bit of it when getting down to work... _____________________________________________________________________ Envie de discuter en "live" avec vos amis ? Télécharger MSN Messenger http://www.ifrance.com/_reloc/m la 1ère messagerie instantanée de France _____________________________________________________________________ Envie de discuter en "live" avec vos amis ? Télécharger MSN Messenger http://www.ifrance.com/_reloc/m la 1ère messagerie instantanée de France _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Rep:RE: VPN and NAT Georges Dupont (Jun 11)