Mike,
This is an interesting scenerio. FW1 has the ability to set up multiple VPNs and not all of them need to be to secure remote clients. If the VPN is permanent you should be able to name it and assign specific rules to apply to it. If you put these before the remote client rules in theory you should be able to enforce two difference filtering actions. I've never had occassion to do this so the following rule may apply.
"In theory, theory is the same as practice. In practice, it seldom is." ;-] Best of luck
-- Bill Stackpole, CISSP
| Mike Glassman - Admin <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 07/19/00 07:10 AM
|
To: "'fw-1 listserv'" <[EMAIL PROTECTED]>, "'fw-gnac list'" <[EMAIL PROTECTED]> cc: Subject: VPN & NAT access on same server |
All,
We have a specific scenario here where I am asked to allow access to a
server (or servers), where some clients will have to use the SecuRemote
(VPN) client, and some won't.
Now as far as I understand it, once I have defined a server in the
secured-servers list for access via the VPN, I will not be able to have a
different access to the same server's NAT address, since the NAT address
resolves to the internal address, which then requires that I have the VPN
client.
The reasoning behind this is as follows :
We have certain clients, who are not part of our organisation, but who need
access to certain systems/software on our internall servers.
At the same time, we have clients who are a part of our organisation, who
also need this access, but who we don't want to have the VPN client
installed.
As well as this, we have some systems which are accesable only through the
firewall, even to clients on our internall network, on which we cannot
install the VPN client for various reasons, and now we are required to allow
externall clients access to this system as well, but only over a secured
(VPN) link (military site).
Anyone have any insight as to whether I can double up like this ? As in,
allow access to the same system to users with VPN, and users without ? And
if so, how.
Thanks,
Mike Glassman
System & Security Admin
Israeli Airports Authority
Ben-Gurion Airport
http://www.ben-gurion-airport.co.il
Tel : 972-3-9710785
Fax : 972-3-9710939
Email : [EMAIL PROTECTED]
Usage of this email address or any email address at iaa.gov.il for the
purpose of sales pitches, SPAM or any other such unwanted garbage, is
illegal, and any person, whether corporate or alone doing so, will be
prosecuted to the fullest possible extent.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
