Firewall Wizards mailing list archives
Re: Site to siteVPN between public ip and private ip
From: Ratna Thurairatnam <ratna1504 () yahoo com>
Date: Sun, 4 Jun 2006 17:59:07 -0700 (PDT)
They have NAT/Firewall device. I do not know whether the device passthrough ipsec.
They have their own DC, but our PC is not part of their Domain, beucaus we use only RDP right now.
the IT admin says that he has a spare public IP,
Sanford Reed <sanford.reed () cox net> wrote:
v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);} st1\:*{behavior:url(#default#ieooui) } This can be done but
to give a proper answer we need more info.
1. How does the landlord provide connectivity for the systems in the remote office?
2. Are they on a VLAN:
a. off his Core Switch?
b. Off of the FW device
c. Do the have their own FW device connected direct to his Internet connection.
3. How do the users in the Remote office Authentic? Do they have their own Domain Controller/Network or are they
using the Landlords DC?
The simplest way would be to establish a site-to-site VPN tunnel in the FWs then within those FW devices set the
routing for that tunnel to be between your HQ LAN and the 10.0.10.0 network only.
The problem with this is that it exposes your HQ networks routing info to the landlords network. You lose security
control on the CA end of the tunnel therefore security control of the tunnel. AND open your FW device and network to
internal attack from the landlords network.
The best way would to be to have the landlord install a switch between the ISP connection and his FW. Then you
provide a FW device and a Layer 3 enabled switch that would be used to connect to your workstations only to connect to
the public switch. The landlord would have to loan you one of his Public IP Addresses to place on your FW Device or
you could ask him to obtain an additional 8 IP address block from his ISP for your use. Offer to pay the monthly
charges for these addresses; it shouldnt be more than about $20/month.
Establish the site-to-site VPN tunnel to this new FW and setup the same routing rules. You can then build a GRE
tunnel between the HQ core switch and the new switch in the remote office to pass routing information. You should also
place a DC in the remote office to allow them to authentic and receive network policies locally to reduce the WAN auth
traffic.
Sanford Reed
(V) 757.406.7067
---------------------------------
From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com] On
Behalf Of Ratna Thurairatnam
Sent: Sunday, May 28, 2006 4:47 PM
To: firewall-wizards () listserv icsalabs com
Subject: [fw-wiz] Site to siteVPN between public ip and private ip
We have HQ in NYC and a remote office in CA, the users in CA office in another companies's network(landloard is
providing internet connection).
At present our CA user's PC are getting NATed ip (10.0.10.*) from landload's network to connect to internet then
they are using RDP to connect our NYC office..
We have now bought a program which is not support to run on TS, so we now have to giveup the TS and find the way to
connect the CA to NYC.
We now want to setup VPN.
is it possible to setup VPN, if our CA pix get private ip for it's external interface?
thank you for your help in Advance.
Mutthu
---------------------------------
Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1¢/min.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Site to siteVPN between public ip and private ip Ratna Thurairatnam (Jun 04)