Re: Firebox 1000 WG and VPN problem. Assistance request. TIA.
- From: "Somebody." <somebody.@xxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 16 Mar 2006 07:13:45 -0500
"Ricky" <ricky13@xxxxxxxxx> wrote in message
news:03fh12d28ou4gib8cr25cclogqklb2bqd2@xxxxxxxxxx
No offense taken at all. This is an existing network...one that I
inherited. I didn't set up the ip structure...wish I had...and the
guy who had is gone now. I'm restructuring by taking out is overly
paraniod infrastructure that was pretty much stifling the business and
putting in newer equipment. The sad thing is that now, so much is
embedded that it will take a lot of work to change it.
I will. Plans are in motion to make this right. I spent a great deal
of time with watchguard today and came to the same conclusion...this
won't work. Thats okay. Needs to be done. We are half the crew now
and I'm replacing the outdated crap that was and putting in new. On
top of that, I'm learning as I go.
Which is why I appreciate your help. This group was a great find.
Thanks so very much.
It's too bad that you've had to do that, but with many boxes that's really
your only choice. If you're already been down the road with Watchguard and
they agree, then you're just going to have to bite the bullet if you want to
keep your equipment as is. You do have one other option to think about
though, and that's either replacing or supplementing your existing VPN
hardware. Some other boxes are capable of mapping all your internal (head
office) addresses as well as all the client addresses to deal with
overlapping subnets. It's not particularly easy, but it's quite feasible.
Check in the knowledgebase for the search terms "overlapping subnets vpn" to
pop out the tech articles on how to do it for whatever other vpn products
you're considering. I'm 90% sure a Netscreen can do it -- I've done it with
site-to-site, just not client-to-site but I think the mechanics would be the
same. On a Fortigate, you can set it up to assign the clients IP's from the
internal network and I *think* I did this once even though my local subnet
was the same -- this of course only works when split tunnelling is disabled
otherwise your routing table would make no sense. I'd have to check/test
just to be perfectly sure on that one though.
So what I'm saying is that while it may indeed be impossible with your
current box, you might be able to get away with it on another box that you
could either a) hang on the outside on another IP and give it an inside
interface on your DMZ or b) put inside your DMZ and forward protocol 50 and
UDP 500 to it via your WatchGuard. A good SE for one of the other products
on the market should also be able to advise you about it.
Or c) replace your watchguard of course but you may not want to do that,
that's fine. Options a) and b) let you have a very simply configured vpn
concentrator, or at least as simply as possible in the cirucmstance, no R&R
on your main firewall, you just leave it in place.
Adding another appliance might not be your first choice, but from the sounds
of it the subnet change is pretty daunting in your case, and you have to ask
yourself, what if another person/vendor/parnter comes along that has
unfortunatly picked your new IP range for their own... it can still
happen... if it did wouldn't it be nice to be able to deal with it? Boxes
like this should cost like $500 to $1000 so it's not a huge investment.
-Russ.
.
- References:
- Firebox 1000 WG and VPN problem. Assistance request. TIA.
- From: Ricky
- Re: Firebox 1000 WG and VPN problem. Assistance request. TIA.
- From: Ricky
- Re: Firebox 1000 WG and VPN problem. Assistance request. TIA.
- From: Ricky
- Re: Firebox 1000 WG and VPN problem. Assistance request. TIA.
- From: Ricky
- Re: Firebox 1000 WG and VPN problem. Assistance request. TIA.
- From: Ricky
- Firebox 1000 WG and VPN problem. Assistance request. TIA.
- Prev by Date: Re: VOLKER--Re: Kids bypassing firewall via web proxy sites
- Next by Date: rv042 one to one nat access rules
- Previous by thread: Re: Firebox 1000 WG and VPN problem. Assistance request. TIA.
- Next by thread: Companies urged to patch as Microsoft issues fixes for security holes
- Index(es):
Relevant Pages
|
|
