[isapros] Source NAT before VPN Tunnel
- From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Wed, 7 Jun 2006 20:38:34 +0200
Hey guys,
wonder if the following scenario is possible with an ISA 2004...
Central Site Remote Site #1
NetID #0 [Checkpoint] ----- Internet ----- [ISA2004] --- NetID #1
!
!
! Remote Site #n
!
+---------- [Juniper] --- NetID #n
1. The central site is the hub in a large hub-and-spoke VPN network. Each
remote site need only to talk to the central site and not to another remote
site.
2. All the services offered by the central site to the remote sites are
reachable on Public IP addresses (NetID #0). So, no IP conflicts should be
expected here.
3. Because the central site must be sure that there will never be an IP
address conflict between the remote sites, they chose to allocate a fixed
/28 NetID out of the IP range 198.18.0.0/15 to each remote site to be used
inside the VPN tunnel as source address for the remote site.
Note: they chose the IP range 198.18.0.0/15 because this block has been
allocated for use in benchmark tests of network interconnect devices (cfr
RFC2544 and RFC3330). So, this will very likely never conflict with any IP
schema used at any remote site.
4. Because the NAT from the native remote IP's (NetID #n) to the central
allocated IP's (/28 NetID out of the IP range 198.18.0.0/15) can only be
done at the remote site, each remote VPN gateway/firewall must be able to
perform source NAT on the outbound traffic before tunneling the traffic to
the central site.
Question: is this possible with ISA2004 as VPN gateway/firewall in a remote
site?
Of course it should work if we use the following design at the remote site
but we hope to avoid the purchase of an extra VPN box:
NetID #1 ----- [ISA2004] -----------+----- Internet
! !
+---[VPN Box] ---+
^^^
/28 NetID out of the IP range 198.18.0.0/15
Best Regards,
Stefaan
Other related posts:
- » [isapros] Source NAT before VPN Tunnel
