[VPN] Re: fw1 site to site vpn subnet conflict
Joseph S D Yao
jsdy at center.osis.gov
Tue Sep 5 12:17:40 EDT 2006
If you dual-proxy with two firewalls, you can use DNS internally to each
network but not resolve each other's IP addresses.
you - fw#1 ----------- fw#2 - them
IP address network
unused on either side
To elaborate:
Say, you are using all 10.0's, 10.1's, 10.2's, and 10.3's, and they are
using 10.3's, 10.4's, and 10.5's. Choose a 10.255.255 or a 172.31.255
for the in-between network.
When someone wants to do a Web browse, have your Web browser proxy to
fw#1, and fw#1 forwards the proxy message for them.com to fw#2, which
uses their own DNS to resolve the name. Similarly, their Web browsers
proxy to fw#2, which forwards the proxy message for you.com to fw#1,
which uses your own DNS to resolve the name.
When someone wants to send mail, have your mail server forward all
them.com e-mail to fw#1, which will forward it all to fw#2, which will
either forward it to a given mail server on their side or use their own
DNS to determine the mail server. Similarly, when they want to send you
e-mail, their mail server will forward all you.com e-mail to fw#2, which
will forward it all to fw#1, which will either forward it to a given
mail server on your side or use your own DNS to determine the mail
server.
Other services can be similarly proxied.
--
Joe Yao
-----------------------------------------------------------------------
This message is not an official statement of OSIS Center policies.
More information about the VPN
mailing list