Thread: B2B VPNs and NAT to Public IPs
View Single Post
  #4 (permalink)  
Old 2006-09-21
runcmd runcmd is offline
Member
  
Join Date: 2006-02-21
Location: 127.0.0.1
Posts: 56
Rep Power: 3
runcmd has an average reputation (10+)
Default Re: B2B VPNs and NAT to Public IPs
Thanks so much for the feedback, and sorry about the ASCII work. I'm one of those guys that only read the "picture books" as a kid. Let me see if I understand correctly. Is this how you'd do it?... (Bogus IPs used intentionally)

Code:
ME:                                       COMPANY XYZ:
              +------{ Internet }------+
(MY_FW)       |<=( Encrypted Tunnel )=>|   (XYZ_VPN_Peer)
320.55.55.1   |                        |   330.22.22.1
+-------------+-+                    +-+-------------+
| My_Gateway    |                    | XYZ_Gateway   |
+-+-------------+                    +-+-------------+
  |                                    |
  + 10.1.1.0/24                        + 330.22.22.1/32
  | (MyNetwork)                        | (XYZ_NET)
  |                                    |
  +-+- (XYZEncDmnGrp)                  +-- 330.22.22.1
    +-- 10.1.1.1                           (NAT to 10.1.1.1)
    +-- 10.1.1.2
Both computers on my network are added to a "XYZEncDmnGrp" group, which needs to pass data to the 10.1.1.1 computer on the XYZ network, through the 330.22.22.1 NAT (which also happens to be their gateway). XYZ sets up the NAT on their side of the VPN tunnel to hide their 10.1.1.1 address behind 330.22.22.1. Back on my side, I name the Interoperable Device "XYZ_VPN_Peer" and assign it 330.22.22.1. I now create the network object "XYZ_NET" (representing their internal network), which is also defined as 330.22.22.1/255.255.255.255. Next, I define the VPN Domain for "XYZ_VPN_Peer" as the "XYZ_NET" network object, and make it a member of the "XYZ_VPN" community. For the sake of simplicity, let's say we're just going to allow FTP outbound through the tunnel with no inbound traffic...

Code:
+--------------+--------------+---------+---------+--------+
|  Source      | Destination  |   VPN   | Service | Action |
+--------------+--------------+---------+---------+--------+
| XYZEncDmnGrp | XYZ_NET      | XYZ_VPN | FTP     | accept |
+--------------+--------------+---------+---------+--------+ 
| XYZEncDmnGrp | XYZ_NET      | XYZ_VPN | * Any   | drop   |
| XYZ_NET      | XYZEncDmnGrp |         |         |        |
+--------------+--------------+---------+---------+--------+
Based upon the above configuration, the 10.1.1.1 and 10.1.1.2 computers on my internal network would then be able to FTP to the 10.1.1.1 computer on the XYZ side of the VPN tunnel by means of the 330.22.22.1 address. ...But, if XYZ ever decides they need to add another computer to their side of this VPN tunnel, they're out of luck.

Right? (If so, I think I might still be better off just forcing XYZ to buy one more public IP and let them NAT the 10.1.1.1 behind that.)
Reply With Quote