[vpn] VPN with NAT

Christopher Gripp cgripp at axcelerant.com
Wed Oct 10 19:20:26 EDT 2001


Not ALL of the traffic, just that trafic that is bound for the remote
subnets of the VPN users.  Of course the most straightforward solution
is replace the LRP with the PIX or vice versa and use one box for both
VPN and Firewalling.  But that gets into the symantics of wether you
want to combine those functions.  Using a PIX just for a VPN is, in my
opinion, not the best solution.  There are much better VPN/Firewall
appliances.  But if you have already made the PIX purchase you might as
well use it.  Another option is replace the LRP with the PIX and then
get another VPN appliance or convert the LRP to a FreeS/WAN box and
stick it off an interface of the PIX.  Like so...



internet-----router-------pix-----------------LAN
				   |                |
				   |                | 
				   ---some vpn box---

That way the outside of the vpn box is protected by the PIX and you can
still play the routing games to bounce packets from the pix to the vpn
box.

Basically there a million ways to do this.  If you want to make the
FEWEST changes possible.  Take my first suggestion.  If you want to
maximize security/flexibility look into the other options.




Christopher Gripp 
Systems Engineer 
Axcelerant 


-----Original Message-----
From: Chuck Renner [mailto:crenner at dynalivery.com]
Sent: Wednesday, October 10, 2001 4:04 PM
To: Christopher Gripp; vpn at securityfocus.com
Subject: RE: [vpn] VPN with NAT


Ok...so set it up like in my second diagram, and instead of having the
LRP
box route outbound traffic through it's external interface, shoot the
traffic into the PIX?  

Sounds sensible enough....

> -----Original Message-----
> From: Christopher Gripp [mailto:cgripp at axcelerant.com]
> Sent: Wednesday, October 10, 2001 6:00 PM
> To: Chuck Renner; vpn at securityfocus.com
> Subject: RE: [vpn] VPN with NAT
> 
> 
> It's a non issue.  Add routes on the LRP box that point to 
> the inside of
> the PIX for all remote subnets.
> 
> -----Original Message-----
> From: Chuck Renner [mailto:crenner at dynalivery.com]
> Sent: Wednesday, October 10, 2001 3:47 PM
> To: vpn at securityfocus.com
> Subject: [vpn] VPN with NAT
> 
> 
> Here's my current network situation:
> 
> Internet-----Router-----LRP box----Private Network
> 
> The LRP box is a system running a floppy-based version of the Linux
> Router
> Project.  It is the default gateway for all systems on the private
> network
> (192.168.1.x), and provides NAT services and firewalling.
> 
> Now, I have a few remote employees that I'd like to connect to the
> private
> network via a Cisco Secure PIX 506 box.  Ideally, I'd like to have
> something
> like this:
> 
> Internet-----Router-----LRP box----Private Network
>                |                      |
>                --------PIX 506---------
> 
> 
> I only want to use the PIX to terminate the VPN clients, not have it
> replace
> the LRP box.  I've been considering the following ideas to make things
> work
> correctly, and would like feedback or suggestions:
> 
> 1)  I can add a second network card to each system that I want to make
> available via the VPN.  This will require extra cabling and requires a
> lot
> of opening of boxes.
> 
> 2)  Via RIP, have the systems on the private network update their
> routing
> tables so that the traffic for any remote system connecting to the PIX
> will
> be routed back through the PIX.  Only problem is I don't know 
> if the PIX
> provides any capability for this kind of thing.
> 
> 3)  Replace the LRP box with the PIX, so all traffic flows 
> through it.  
> 
> 4)  Any methods anyone else can recommend...
> 
> 
> VPN is sponsored by SecurityFocus.com
> 

VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list