Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1997

NFR Wizards Archive: RE: IP in IP and FW1

RE: IP in IP and FW1

GEIS (Adam.Safiergeis.ge.com)
Wed, 24 Sep 1997 18:55:38 -0400

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Edward Cracknell: "Penetration Tests"
Previous message: Arjan Vos: "Linux patch (was: Re: Here is my plan for firewall implementation)"

Collin's answers are preferred with 2 being my favorite.

But, if you cannot do that you might try overloading the r2-fw1
interface with a second IP address, say a class 1918 address. You then
set that as the internet default or proxy server or gateway for Net1
users. They go to the firewall which decrypts and then uses it's own
routing table to forward to the allowed destination which is back out
the same physical interface to R2.

This is a guess - haven't been there, haven't done that with
SecureRemote - but overloading works and your firewall rules can be set
by IP address of the interface. However, some rules may conflict and
you may need to relax your policy - which could be risky. Really should
change to Colin's option 2.

> -----Original Message-----
> From: Colin Campbell [SMTP:sgcccdccitec.qld.gov.au]
> Sent: Wednesday, September 24, 1997 4:00 AM
> To: firewall-wizardsnfr.net
> Subject: Re: IP in IP and FW1
>
> Hi
>
> How about one of two solutions:
>
> 1) replace R1 with Cisco running 11.2 IOS and do NAT on the router.
> 2) restructure the LAN to be:
>
> Internet
> ^
> |
> R2
> |
> NET1 ------ R1 ---------- FW1-------------- NET2
>
> Colin
>
> My mailer thinks Neale Banks said:
> >
> > Hi,
> >
> > I have been asked to advise on a problem with a RFC1918 subnet that
> needs
> > to communicate with the Internet via FW-1 and NAT.
> >
> > A picture is worth a thousand words, so:
> >
> > Internet
> > ^
> > |
> > NET1 ------ R1 ---------- R2 ---- FW1------ NET2
> >
> > The main complication here is that both NET1 and NET2 are using
> RFC1918
> > addresses, and R2 also has the default route to the internet.
> Ideally
> > Internet traffic from FW1 SecuRemote clients on NET1 would be
> directed to
> > the FW1 and NATed to assigned address space before venturing to the
> > internet.
>
>
Adam

---------------
Adam Safier, Network Engineer/Security Consultant
GE Information Services, Inc.
401 North Washington St., Rockville, Md. 20850
Ph: 301-340-5737 Internal: 8*273-5737 Fax: 301-340-4005
Adam.Safiergeis.ge.com http://www.geis.com

I'm proud to live in a country where I can express my personal opinions.
The opinions above may not be shared by my employer.
---------------
>
>

Next message: Edward Cracknell: "Penetration Tests"
Previous message: Arjan Vos: "Linux patch (was: Re: Here is my plan for firewall implementation)"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:08:58 CDT