VPN/NAT Toplogy

Tue Oct 5 11:52:49 EDT 1999

Without much indepth analysis of your situation, I would suggest that the
destination addresses for the peer VPN network to which the users behind you
NAT firewall would like to communicate be IANA private, RFC 1918 test
addresses, unroutable in the public Internet, and therefore not posing any
danger if the firewall attempted to forward these on to it's defaul gateway.
The Internet access router would inevitably throw them in the bit bucket.
To use public routable addresses for any private network, especially VPN
authorized extranets, is certainly a dangerous move susceptible to
compromise.

Eric Henriksen
RedCreek Communications, Inc.
----- Original Message -----
From: <tweil at rpm.com>
To: Steve Brown <sbrown at cw.net>
Cc: <vpn at listserv.secnetgroup.com>
Sent: Wednesday, September 15, 1999 8:29 AM
Subject: VPN/NAT Toplogy

>
>
> Steve -
>
>        Chapter 5 of your VPN book has a section called VPN/NAT Topology.
This
> is a specific
>        design area I am investigating for a client.   The desired scenario
is
> this
>
>                  Internet -- Gateway Router  --- VPN Peer Router on
Untrusted
> DMZ   --- Nat Firewall
>
>      I have been 'strongly advised' by a well-known (big 'C') network
company to
> establish
>      direct routes between the NAT Firewall Device (Gauntlet 4.2) and VPN
Peer
> Router so
>      that every inbound/outbound packet is inspect by VPN device.  The
> justification (I'm told)
>      is that FW forwarding of outbound traffic  might select Gateway
Router as
> preferred route
>     (thus ignoring IPSEC encryption on the VPN router).
>
>      If this scenario makes any sense, I'm looking for some '2nd
opinions'.
> Specifically, some Firewall
>      logic that would forward outbound IPSec-targeted packets to the VPN
device
> and establish 'pass-thru'
>      routes for general Web Surfing traffic.  In my mind routing all IP
traffic
> through a VPN device is bad
>      design.  We should be able to DIFFERENIATE between normal Web Surfing
and
> Encrytped IPSec
>      packets on the same network
>
> Tim Weil - CCNA/CCDA
> InterNetwork Consultant
> RPM Consulting, Inc.
> email:tweil at rpm.com.
>
>
> ****************************************************************
> TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
>
> The VPN FAQ (under construction) is available at
> http://kubarb.phsx.ukans.edu/~tbird/FAQ.html
>
> We are currently experiencing "unsubscribe" difficulties.  If you
> wish to unsubscribe, please send a message containing the single line
> "unsubscribe vpn your-e-mail-address" to
owner-vpn at listserv.secnetgroup.com
>
> ****************************************************************
>

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************