Re: [fw-wiz] Site to siteVPN between public ip and private ip



This can be done but to give a proper answer we need more info.



1. How does the landlord provide connectivity for the systems in the remote
office?

2. Are they on a VLAN:

a. off his Core Switch?

b. Off of the FW device

c. Do the have their own FW device connected direct to his Internet
connection.

3. How do the users in the Remote office Authentic? Do they have their own
Domain Controller/Network or are they using the Landlord?s DC?





The simplest way would be to establish a site-to-site VPN tunnel in the FWs
then within those FW devices set the routing for that tunnel to be between
your HQ LAN and the 10.0.10.0 network only.

The problem with this is that it exposes your HQ network?s routing info to
the landlord?s network. You lose security control on the CA end of the
tunnel therefore security control of the tunnel. AND open your FW device and
network to ?internal? attack from the landlord?s network.





The best way would to be to have the landlord install a switch between the
ISP connection and his FW. Then you provide a FW device and a Layer 3
enabled switch that would be used to connect to your workstations only to
connect to the ?public? switch. The landlord would have to ?loan? you one of
his Public IP Addresses to place on your FW Device or you could ask him to
obtain an additional 8 IP address block from his ISP for your use. Offer to
pay the monthly charges for these addresses; it shouldn?t be more than about
$20/month.

Establish the site-to-site VPN tunnel to this new FW and setup the same
routing rules. You can then build a GRE tunnel between the HQ core switch
and the new switch in the remote office to pass routing information. You
should also place a DC in the remote office to allow them to authentic and
receive network policies locally to reduce the WAN auth traffic.





Sanford Reed
(V) 757.406.7067

_____

From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Ratna
Thurairatnam
Sent: Sunday, May 28, 2006 4:47 PM
To: firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
Subject: [fw-wiz] Site to siteVPN between public ip and private ip



We have HQ in NYC and a remote office in CA, the users in CA office in
another companies's network(landloard is providing internet connection).

At present our CA user's PC are getting NATed ip (10.0.10.*) from landload's
network to connect to internet then they are using RDP to connect our NYC
office..

We have now bought a program which is not support to run on TS, so we now
have to giveup the TS and find the way to connect the CA to NYC.



We now want to setup VPN.

is it possible to setup VPN, if our CA pix get private ip for it's external
interface?

thank you for your help in Advance.

Mutthu





_____

Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great
<http://us.rd.yahoo.com/mail_us/taglines/postman7/*http:/us.rd.yahoo.com/evt
=39666/*http:/messenger.yahoo.com> rates starting at 1¢/min.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards