VPN/NAT Toplogy

tweil at rpm.com tweil at rpm.com
Wed Sep 15 08:29:59 EDT 1999



Steve -

       Chapter 5 of your VPN book has a section called VPN/NAT Topology.  This
is a specific
       design area I am investigating for a client.   The desired scenario is
this

                 Internet -- Gateway Router  --- VPN Peer Router on Untrusted
DMZ   --- Nat Firewall

     I have been 'strongly advised' by a well-known (big 'C') network company to
establish
     direct routes between the NAT Firewall Device (Gauntlet 4.2) and VPN Peer
Router so
     that every inbound/outbound packet is inspect by VPN device.  The
justification (I'm told)
     is that FW forwarding of outbound traffic  might select Gateway Router as
preferred route
    (thus ignoring IPSEC encryption on the VPN router).

     If this scenario makes any sense, I'm looking for some '2nd opinions'.
Specifically, some Firewall
     logic that would forward outbound IPSec-targeted packets to the VPN device
and establish 'pass-thru'
     routes for general Web Surfing traffic.  In my mind routing all IP traffic
through a VPN device is bad
     design.  We should be able to DIFFERENIATE between normal Web Surfing and
Encrytped IPSec
     packets on the same network

Tim Weil - CCNA/CCDA
InterNetwork Consultant
RPM Consulting, Inc.
email:tweil at rpm.com.


****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************




More information about the VPN mailing list