VPN/NAT Toplogy

Steven A. Brown sbrown at cw.net
Wed Oct 6 12:03:10 EDT 1999


 Tim,

     One other note on the diagram I sent to you, make sure the networks are
subnetted, don't use
 RFC 1918 blindly, or you will have routing problems. Use different subnets
on the same 10 network, e.g., 10.1/16 for one, and 10.2/16, and 10.3/16,,and
so on.



Steven A. Brown, MBA., CCSA, CCSE,
VPN/Firewall & Internet Security Engineer
Cable&Wireless, 9000 Regency Parkway
Research Triangle Park, NC, 27511
sbrown at cw.net, Steven.Brown at cwusa.com
===================================
Author: Implementing Virtual Private Networks, McGraw-Hill
CoAuthor: CheckPoint Firewall-1, McGraw-Hill
http://www.itdiffusions.com

  "Only two things are infinite, the universe and
 human stupidity, and I'm not sure about the former.

      -- Albert Einstein"


-----Original Message-----
From: Eric Henriksen [mailto:eric_h at earthlink.net]
Sent: Tuesday, October 05, 1999 8:53 AM
To: tweil at rpm.com; Steve Brown
Cc: vpn at listserv.secnetgroup.com
Subject: Re: VPN/NAT Toplogy


Without much indepth analysis of your situation, I would suggest that the
destination addresses for the peer VPN network to which the users behind you
NAT firewall would like to communicate be IANA private, RFC 1918 test
addresses, unroutable in the public Internet, and therefore not posing any
danger if the firewall attempted to forward these on to it's defaul gateway.
The Internet access router would inevitably throw them in the bit bucket.
To use public routable addresses for any private network, especially VPN
authorized extranets, is certainly a dangerous move susceptible to
compromise.

Eric Henriksen
RedCreek Communications, Inc.
----- Original Message -----
From: <tweil at rpm.com>
To: Steve Brown <sbrown at cw.net>
Cc: <vpn at listserv.secnetgroup.com>
Sent: Wednesday, September 15, 1999 8:29 AM
Subject: VPN/NAT Toplogy


>
>
> Steve -
>
>        Chapter 5 of your VPN book has a section called VPN/NAT Topology.
This
> is a specific
>        design area I am investigating for a client.   The desired scenario
is
> this
>
>                  Internet -- Gateway Router  --- VPN Peer Router on
Untrusted
> DMZ   --- Nat Firewall
>
>      I have been 'strongly advised' by a well-known (big 'C') network
company to
> establish
>      direct routes between the NAT Firewall Device (Gauntlet 4.2) and VPN
Peer
> Router so
>      that every inbound/outbound packet is inspect by VPN device.  The
> justification (I'm told)
>      is that FW forwarding of outbound traffic  might select Gateway
Router as
> preferred route
>     (thus ignoring IPSEC encryption on the VPN router).
>
>      If this scenario makes any sense, I'm looking for some '2nd
opinions'.
> Specifically, some Firewall
>      logic that would forward outbound IPSec-targeted packets to the VPN
device
> and establish 'pass-thru'
>      routes for general Web Surfing traffic.  In my mind routing all IP
traffic
> through a VPN device is bad
>      design.  We should be able to DIFFERENIATE between normal Web Surfing
and
> Encrytped IPSec
>      packets on the same network
>
> Tim Weil - CCNA/CCDA
> InterNetwork Consultant
> RPM Consulting, Inc.
> email:tweil at rpm.com.
>
>
> ****************************************************************
> TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
>
> The VPN FAQ (under construction) is available at
> http://kubarb.phsx.ukans.edu/~tbird/FAQ.html
>
> We are currently experiencing "unsubscribe" difficulties.  If you
> wish to unsubscribe, please send a message containing the single line
> "unsubscribe vpn your-e-mail-address" to
owner-vpn at listserv.secnetgroup.com
>
> ****************************************************************
>


****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************




More information about the VPN mailing list