Re: [fw-wiz] Site to siteVPN between public ip and private ip

This can be done but to give a proper answer we need more info.

1. How does the landlord provide connectivity for the systems in the remote

2. Are they on a VLAN:

a. off his Core Switch?

b. Off of the FW device

c. Do the have their own FW device connected direct to his Internet

3. How do the users in the Remote office Authentic? Do they have their own
Domain Controller/Network or are they using the Landlord?s DC?

The simplest way would be to establish a site-to-site VPN tunnel in the FWs
then within those FW devices set the routing for that tunnel to be between
your HQ LAN and the network only.

The problem with this is that it exposes your HQ network?s routing info to
the landlord?s network. You lose security control on the CA end of the
tunnel therefore security control of the tunnel. AND open your FW device and
network to ?internal? attack from the landlord?s network.

The best way would to be to have the landlord install a switch between the
ISP connection and his FW. Then you provide a FW device and a Layer 3
enabled switch that would be used to connect to your workstations only to
connect to the ?public? switch. The landlord would have to ?loan? you one of
his Public IP Addresses to place on your FW Device or you could ask him to
obtain an additional 8 IP address block from his ISP for your use. Offer to
pay the monthly charges for these addresses; it shouldn?t be more than about

Establish the site-to-site VPN tunnel to this new FW and setup the same
routing rules. You can then build a GRE tunnel between the HQ core switch
and the new switch in the remote office to pass routing information. You
should also place a DC in the remote office to allow them to authentic and
receive network policies locally to reduce the WAN auth traffic.

Sanford Reed
(V) 757.406.7067


From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Ratna
Sent: Sunday, May 28, 2006 4:47 PM
To: firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
Subject: [fw-wiz] Site to siteVPN between public ip and private ip

We have HQ in NYC and a remote office in CA, the users in CA office in
another companies's network(landloard is providing internet connection).

At present our CA user's PC are getting NATed ip (10.0.10.*) from landload's
network to connect to internet then they are using RDP to connect our NYC

We have now bought a program which is not support to run on TS, so we now
have to giveup the TS and find the way to connect the CA to NYC.

We now want to setup VPN.

is it possible to setup VPN, if our CA pix get private ip for it's external

thank you for your help in Advance.



Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great
=39666/*http:/> rates starting at 1¢/min.

firewall-wizards mailing list

Relevant Pages

  • Re: Using Remote Desktop From an SBS Domain
    ... Right click My Network Places...Properties. ... computer that is on a remote network now. ... Internet connection, bypassing my SBS/ISA network all together. ... the port number you connect to from 80 to a port of your ...
  • Re: Problem with RWW, can list computers/servers, cannot get logged in
    ... > When I say "outside the network" I mean accessing the network via a ... > one of two errors at the remote desktop, ... > connection might not be enabled or the computer might be too bust to ... Even turned off connection limits in ISA General... ...
  • Re: Using Remote Desktop From an SBS Domain
    ... Internet connection, bypassing my SBS/ISA network all together. ... machine that I'm trying to connect to is configured to accept Remote Desktop ... the port number you connect to from 80 to a port of your ...
  • Re: PPPD Connect Using Broadband Connection (problem)
    ... The remote office is using Microsoft RAS server, hence I need pppd ... ]acknowledging the connection parameters I was using were correct. ...
  • Re: VPN and remote gateway
    ... 317025, we could know that if you use local gateway, your internet connection will not be a problem, but, you could not access your ... remote network since there is no route between you computer and your remote company network. ...