VPN/NAT Toplogy
tweil at rpm.com
tweil at rpm.com
Wed Sep 15 08:29:59 EDT 1999
Steve -
Chapter 5 of your VPN book has a section called VPN/NAT Topology. This
is a specific
design area I am investigating for a client. The desired scenario is
this
Internet -- Gateway Router --- VPN Peer Router on Untrusted
DMZ --- Nat Firewall
I have been 'strongly advised' by a well-known (big 'C') network company to
establish
direct routes between the NAT Firewall Device (Gauntlet 4.2) and VPN Peer
Router so
that every inbound/outbound packet is inspect by VPN device. The
justification (I'm told)
is that FW forwarding of outbound traffic might select Gateway Router as
preferred route
(thus ignoring IPSEC encryption on the VPN router).
If this scenario makes any sense, I'm looking for some '2nd opinions'.
Specifically, some Firewall
logic that would forward outbound IPSec-targeted packets to the VPN device
and establish 'pass-thru'
routes for general Web Surfing traffic. In my mind routing all IP traffic
through a VPN device is bad
design. We should be able to DIFFERENIATE between normal Web Surfing and
Encrytped IPSec
packets on the same network
Tim Weil - CCNA/CCDA
InterNetwork Consultant
RPM Consulting, Inc.
email:tweil at rpm.com.
****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html
We are currently experiencing "unsubscribe" difficulties. If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com
****************************************************************
More information about the VPN
mailing list