>
>> >I have a requirement to run a VPN for remote access and NAT for the
>> entire
>> >LAN. I would prefer to run the one or the other on the router.
>> >Does anyone have any suggestions as to which? I am also currently
>> running
>> >BGP. My opinion is to run the VPN on the router and NAT on another
>> box
>> >therby creating a DMZ. However the file servers will be behind the
>> NAT.
>> > How do I get from the VPN routers - thru the firewall - to the internal
>> >file servers?
>> >
---- "Howard C. Berkowitz" <[EMAIL PROTECTED]> wrote:
> >
>> What problem are you trying to solve with these technologies?
"Dave Santeramo" <[EMAIL PROTECTED]> replied,
>
>We are setting up a multihomed environment with two providers (BGP)
>We also want remote users to have secure access into the LAN from home.
>(VPN). There is also a request to NAT everything on the LAN behind either
>a proxy server or a FW.
>
OK, I see the BGP and VPN requirements. I'm still a little vague on
why you want NAT -- address conservation or something else? In a
multihomed routing environment, the externally visible addresss
(router, DNS, etc.) really should be registered.
Before commenting further on the VPN, what is your security model?
Are you simply trying to protect traffic while it is in the public
Internet, or on an end-to-end basis? Will this be IPsec, SSL, etc.?
Do you trust the firewall/proxy to have access to all traffic in
cleartext form? How do you plan to authenticate users and distribute
cryptographic keys? Are your users mobile or at fixed sites?
If the encryption is host-to-host (i.e., from workstation to file
server), a true firewall function (whatever that is) has limited
applicability. Since the firewall can't examine packet contents that
it can't decrypt, you might as well use a router to provide rate
limiting and martian filtering--a proxy won't work in this context.
--
"What Problem are you trying to solve?"
***send Cisco questions to the list, so all can benefit -- not
directly to me***
Howard C. Berkowitz [EMAIL PROTECTED]
Technical Director, CertificationZone.com
Senior Product Manager, Carrier Packet Solutions, NortelNetworks (for ID only)
but Cisco stockholder!
"retired" Certified Cisco Systems Instructor (CID) #93005
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
