Hi all,
Apologies for the huge ascii drawing! (use courier font to view with
sanity:-)
I've been asked to look at placing a Nokia IP530 into this scenario:
///-------------\\\
///// \\\\\
|| Internet ||
| |
\\\\\ /////
\\\----+--+-----///
| |
| |
|-------+ +---------+ +--------+ +------+
| | | | | |
| ++------------++ ++------------++ |
| | | | | |
| | Nokia IP650 | << HA Pair >> | Nokia IP650 | |
| +-+---------+--+ +--+---------+-+ |
| | | | | |
| | +-----------+ +----------+ | |
| | | | | |
| | | | | |
| | | | | |
| | +---------+--+--------+ | |
| | | DMZ Switch | | |
| | | (private addressing)| | |
| | +---------------------+ | |
| | | |
| | | |
| | | |
| | +--------------+ | |
| | | | | |
| | |Proposed IP530| | |
| | +--------------+ | |
| | | |
| | | |
| | | |
| | +---------------------+ | |
| | | DMZ Switch | | |
| | | (public addressing) | | |
| | +---------+--+--------+ | |
| | | | | |
| ----------------------+ +--------------------+ |
| |
| |
| |
| |
-----------------------+ +----------------------
+-+-----------------+-+
| Customer Switch |
|(private addressing) |
+---------+--+--------+
| |
| |
//----+--+----\\
///// \\\\\
|| Trusted Net ||
| Customer VPN Cloud |
\\\\\ /////
\\------------//
This proposed Nokia running 4.1 will be used purely to terminate
SecureRemote tunnels, and potentially some site - site tunnels.
The top section is an "ISP Gateway". Effectively it is a pair of HA Nokia IP
650's which provide NAT and a global security policy for a customer's
International Frame Network at the bottom.
Off these Nokia's are two DMZ's one is publicly addressed, and the other
Private. It is proposed that a further Nokia appliance (model not really
decided yet) will sit between these DMZ's, and terminate SecuRemote and some
site-to-site VPN tunnels, and forward decrypted traffic to the customer's
private frame network shown at the bottom. There is already a WatchGuard
Firebox in this location, which (apparently) succesfully terminates some
tunnels from a partner organisation.
Can anyone give me some guidance on the above, with regard to:
1. Am I going to have problems because the HA Nokia's are running NAT? (the
way i see it, the NAT actually only happens AFTER the tunnels are
terminated, so it shouldn't be a problem? :�)
2. What is the right choice of Nokia box for the job - there will be up to
1000 VPN (client) tunnels, maybe max 600 of them simultaneous?
Any other (constructive only!) comments would be very much appreciated!
Cheers,
Matt D
[EMAIL PROTECTED]
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
