[isapros] Re: FW: Source NAT before VPN Tunnel
- From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Fri, 16 Jun 2006 09:57:44 +0200
Hi Tom,
OK, let's try to clarify it better...
Host --- [ISA2004] ---- Internet --- [Checkpoint] --- Server
Host = 192.168.1.2/24
ISA2004 internal interface = 192.168.1.1/24
ISA2004 external interface = 111.111.111.1/28 (Public IP)
Checkpoint external interface = 222.222.222.1/28 (Public IP)
Checkpoint internal interface = 222.222.222.65/26 (Public IP)
Server = 222.222.222.66/26 (Public IP)
A site-to-site IPSec tunnel mode connection is defined between the endpoints
111.111.111.1 and 222.222.222.1. So far so good.
The host 192.168.1.2 must access an ISO-TSAP (TCP port 102) service on the
server 222.222.222.66 through the site-to-site IPSec tunnel mode connection
BUT the Checkpoint expects only traffic sourced from 198.18.1.0/28 within
this tunnel. Therefore on ISA we should be able to NAT first the host IP
address 192.168.1.2 to 198.18.1.1 (in this example) and than transmit that
traffic within the tunnel. How to accomplish that?
I know you can define on ISA a NAT relationship between the internal network
and the remote VPN network but in that case the traffic within the tunnel
will be sourced from 111.111.111.1 (in this example) and that is not what we
want to achieve!
Thanks,
Stefaan
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Thomas W Shinder
Sent: vrijdag 16 juni 2006 2:11
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: FW: Source NAT before VPN Tunnel
Hi Stefaan,
I don't see what the problem is. What do you see as the possible problem?
Thanks!
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Stefaan Pouseele
> Sent: Thursday, June 15, 2006 2:48 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] FW: Source NAT before VPN Tunnel
>
> Nobody in Boston (Teched 2006) has an answer to this question?
>
> Stefaan
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Stefaan Pouseele
> Sent: woensdag 7 juni 2006 20:39
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Source NAT before VPN Tunnel
>
> Hey guys,
>
> wonder if the following scenario is possible with an ISA 2004...
>
>
> Central Site Remote Site #1
>
> NetID #0 [Checkpoint] ----- Internet ----- [ISA2004] --- NetID #1
> !
> !
> ! Remote Site #n
> !
> +---------- [Juniper] --- NetID #n
>
>
> 1. The central site is the hub in a large hub-and-spoke VPN network.
> Each remote site need only to talk to the central site and not to
> another remote site.
>
> 2. All the services offered by the central site to the remote sites
> are reachable on Public IP addresses (NetID #0). So, no IP conflicts
> should be expected here.
>
> 3. Because the central site must be sure that there will never be an
> IP address conflict between the remote sites, they chose to allocate a
> fixed > /28 NetID out of the IP range 198.18.0.0/15 to each remote
> site to be used inside the VPN tunnel as source address for the remote
> site.
> Note: they chose the IP range 198.18.0.0/15 because this block has
> been allocated for use in benchmark tests of network interconnect
> devices (cfr
> RFC2544 and RFC3330). So, this will very likely never conflict with
> any IP schema used at any remote site.
>
> 4. Because the NAT from the native remote IP's (NetID #n) to the
> central allocated IP's (/28 NetID out of the IP range 198.18.0.0/15)
> can only be done at the remote site, each remote VPN gateway/firewall
> must be able to perform source NAT on the outbound traffic before
> tunneling the traffic to the central site.
>
>
> Question: is this possible with ISA2004 as VPN gateway/firewall in a
> remote site?
>
> Of course it should work if we use the following design at the remote
> site but we hope to avoid the purchase of an extra VPN box:
>
> NetID #1 ----- [ISA2004] -----------+----- Internet
> ! !
> +---[VPN Box] ---+
> ^^^
> /28 NetID out of the IP range 198.18.0.0/15
>
>
>
> Best Regards,
> Stefaan
>
>
>
>
>
>
Other related posts:
