B2B VPN

Discussion in 'Cisco' started by td, Dec 2, 2007.

  1. td

    td Guest

    I have a vendor (vendor1) who has a vpn tunnel back to my company to
    provide support for some applications that we have with them.

    My current setup is a 2651XM at the edge and then a hub and then a
    PIX 515E and then my internal network. The vendor utilizes an 1812
    router to establish the tunnel back to their data center.

    Vendor1's router currently connects to the hub and then directly
    connects to the internal network bypassing the firewall. In order to
    increase security I would like to move the 1812 to connect to a
    layer 3 switch on its external port that will reside between the
    firewall and my internal router (3845) and NAT the current external
    address to an internal address.

    Vendor1 has stated that they cannot establish this tunnel across a
    device that has to/will NAT their traffic. I have another vendor
    (vendor2), utlizing a 1720 router for a VPN tunnel, who is requiring
    me to move the router between the firewall and the internal router.

    I cannot see why you cannot NAT Vendor1's traffic.

    If anyone could enlighten me as to whether or not Vendor1 is correct
    in their statement and the reasons behind the correct answer I would
    appreciate it.

    tia td


    --
    --------------------------------- --- -- -
    Posted with NewsLeecher v3.9 Beta 9
    Web @ http://www.newsleecher.com/?usenet
    ------------------- ----- ---- -- -
     
    td, Dec 2, 2007
    #1
    1. Advertising

  2. td

    Merv Guest

    You should not allow any vendor to place any equipment for the
    purposes of remote access on your network

    Any VPN access should only be allowed to equipment that your
    organization controls
     
    Merv, Dec 2, 2007
    #2
    1. Advertising

  3. td

    Rod Dorman Guest

    In article <B%n4j.1243$>, td <> wrote:
    >I have a vendor (vendor1) who has a vpn tunnel back to my company to
    >provide support for some applications that we have with them.
    >
    >My current setup is a 2651XM at the edge and then a hub and then a
    >PIX 515E and then my internal network.


    As Merv pointed out that isn't a good idea.

    >The vendor utilizes an 1812 router to establish the tunnel back to
    >their data center.
    >
    >Vendor1's router currently connects to the hub and then directly
    >connects to the internal network bypassing the firewall. In order to
    >increase security I would like to move the 1812 to connect to a
    >layer 3 switch on its external port that will reside between the
    >firewall and my internal router (3845) and NAT the current external
    >address to an internal address.


    Does your PIX allow you to set a secondary address on its outside
    interface?

    You might try something along these lines
    external IP subnet 12.12.300/24
    internal LAN subnet 192.168.1/24
    kludge subnet 192.168.255/24

    2651XM
    12.12.300.1
    |
    | +----- 12.12.300.9
    Hub+ 1812 Router
    | +----- 192.168.255.9
    |
    12.12.300.2 & 192.168.255.2
    PIX 515E
    192.168.1.1

    Add a routing entry to the 1812 Router to route anything destined for
    192.168.1/24 to go via 192.168.255.2

    You'll probably have to add routing to the PIX to send return traffic
    to them via 192.168.255.9

    --
    -- Rod --
    rodd(at)polylogics(dot)com
     
    Rod Dorman, Dec 3, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Elise
    Replies:
    6
    Views:
    847
    John Rennie
    May 22, 2004
  2. Guest
    Replies:
    0
    Views:
    1,287
    Guest
    Nov 14, 2003
  3. Frances Higgins

    Independent B2B Sales Executives

    Frances Higgins, May 30, 2004, in forum: Computer Security
    Replies:
    0
    Views:
    531
    Frances Higgins
    May 30, 2004
  4. pasatealinux
    Replies:
    1
    Views:
    2,080
    pasatealinux
    Dec 17, 2007
  5. nadiralishah
    Replies:
    0
    Views:
    1,199
    nadiralishah
    Jan 6, 2008
Loading...

Share This Page