Discussion in 'Cisco' started by td, Dec 2, 2007.

  1. td

    td Guest

    I have a vendor (vendor1) who has a vpn tunnel back to my company to
    provide support for some applications that we have with them.

    My current setup is a 2651XM at the edge and then a hub and then a
    PIX 515E and then my internal network. The vendor utilizes an 1812
    router to establish the tunnel back to their data center.

    Vendor1's router currently connects to the hub and then directly
    connects to the internal network bypassing the firewall. In order to
    increase security I would like to move the 1812 to connect to a
    layer 3 switch on its external port that will reside between the
    firewall and my internal router (3845) and NAT the current external
    address to an internal address.

    Vendor1 has stated that they cannot establish this tunnel across a
    device that has to/will NAT their traffic. I have another vendor
    (vendor2), utlizing a 1720 router for a VPN tunnel, who is requiring
    me to move the router between the firewall and the internal router.

    I cannot see why you cannot NAT Vendor1's traffic.

    If anyone could enlighten me as to whether or not Vendor1 is correct
    in their statement and the reasons behind the correct answer I would
    appreciate it.

    tia td
    td, Dec 2, 2007
    1. Advertisements

  2. td

    Merv Guest

    You should not allow any vendor to place any equipment for the
    purposes of remote access on your network

    Any VPN access should only be allowed to equipment that your
    organization controls
    Merv, Dec 2, 2007
    1. Advertisements

  3. td

    Rod Dorman Guest

    As Merv pointed out that isn't a good idea.
    Does your PIX allow you to set a secondary address on its outside

    You might try something along these lines
    external IP subnet 12.12.300/24
    internal LAN subnet 192.168.1/24
    kludge subnet 192.168.255/24

    | +----- 12.12.300.9
    Hub+ 1812 Router
    | +-----
    12.12.300.2 &
    PIX 515E

    Add a routing entry to the 1812 Router to route anything destined for
    192.168.1/24 to go via

    You'll probably have to add routing to the PIX to send return traffic
    to them via
    Rod Dorman, Dec 3, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.