Re: VPN/DMZ configuration help



In article <1181911406.298991.11290@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
shonuff6699@xxxxxxxxx says...
On Jun 15, 7:27 am, Leythos <v...@xxxxxxxxxxx> wrote:
In article <1181908406.792189.8...@xxxxxxxxxxxxxxxxxxxxxxxxxxx>,
shonuff6...@xxxxxxxxx says...





Here's my config:
WatchGuard Firebox x750e (version 8)
WatchGuard Firebox SSL Core VPN (version 5.1)
Public IP range: xxx.xxx.xxx.112/29
Private IP range: 192.168.10.0/24

Current Topology:
Internet --- Cisco 1700 --- x750e --- LAN

Here is the config I am trying to achieve:
Internet
|
Cisco 1700
|
x750e --- (DMZ) SSL Core VPN (172.16.10.0/24)
|
LAN (192.168.10.0/24)

If I have three of my public IP address currently mapped to the
external interface of the x750, how would I be able to give the
external interface of the SSL VPN appliance a public IP? I need
another IP block don't I? I think I am way overanalyzing this scenario
so I have confused the mess out of myself. Thanks for any help.

You could put the 750e in Drop-In mode and then all interfaces would
have the same addresses (meaning that LAN/DMZ would have the same IP as
the EXT and then you create rules, same as in Routed Mode, to map ports
between the Zones (LAN/DMZ).

You could also just forward the ports needed by the SSL to the VPN
appliance from the IP you want to use.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999f...@xxxxxxxxxx (remove 999 for proper email address)- Hide quoted text -

- Show quoted text -

Thanks for your reply Leythos. So what you are saying is that if I
want to run my SSL Core VPN in a true DMZ scenario I will have to
change my x750e to drop-in mode? The second option you gave for port
forwarding, if I use that I wouldn't have a true DMZ right?? So that
means I would just hook up the one interface of the SSL Core VPN?? I
called WatchGuard yesterday for some clarification and I am more
confused now than I was before. Thanks again.

This is the best I can do to help you:
http://www.watchguard.com/docs/faq/ssl-core_faq.asp#firewall


--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@xxxxxxxxxx (remove 999 for proper email address)
.



Relevant Pages

  • Re: VPN/DMZ configuration help
    ... WatchGuard Firebox SSL Core VPN ... external interface of the SSL VPN appliance a public IP? ... You could also just forward the ports needed by the SSL to the VPN ...
    (comp.security.firewalls)
  • VPN/DMZ configuration help
    ... WatchGuard Firebox SSL Core VPN ... Here is the config I am trying to achieve: ...
    (comp.security.firewalls)