Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Help in VPN setup

from [Fetch, Brandon] Network Security [Permanent Link]
Subject: RE: Help in VPN setup
Date: Wed, 27 Oct 2004 10:36:57 -0500 
The external, routable address that is specified in the PIX-PIX VPN
configuration can also be used for other services (NAT, port forwarding...).

The VPN connection is established at a higher level port that shouldn't have
any applications running across it.  I don't know offhand the port number,
but I imagine it's in the 60k range.

Even with a point-to-point VPN between two PIXes both sites are still able
to use the Internet connection for traffic that isn't destined for the
remote LAN.

This is the key with a VPN - you define the traffic that is to be encrypted
and sent across the established VPN using an access list that has the source
and destination addresses of the protected networks.

Your diagram below is confusing - you have a router with a public IP address
and only a private on another interface?  Unless this is the required
configuration from your ISP, I'd highly suggest removing the routers at each
end and plugging that network directly into the PIX's outside interface.

This will make things much simpler for your configuration.

If you are required to use the routers, and the routers are Cisco based, you
can setup a router-router VPN using the IOS Firewall feature set.  If memory
serves, it's nearly identical to how the PIX VPN is configured.  Also, in
this configuration, the access lists can get quite confusing on the PIX as
you have to allow for the remote LAN address being on the outside interface
of the PIX.

HTH,
Brandon
CCSP

-----Original Message-----
From: David [mailto:dalmada@sisp.cv]
Sent: Tuesday, October 26, 2004 12:13 PM
To: firewalls@securityfocus.com
Subject: Help in VPN setup




Hello everyone,

I pretend to setup a gateway-to-gateway VPN throug internet using two PIX.
My question is, do I have to use more than one public IP address for each
site? if it is possible to use one public address for each site, how do I
route the private IP through the internet? The scheme should like this one:

Hostt<--->PIX<--->RouterA<--->Internet Cloud<--->RouterB<--->PIXB<--->HostB
 privIP   privIP       pubIP    |VPN|         pubIP       privIP   privIP

Thanks in advance

David

SISP


This message is intended only for the person(s) to which it is addressed 
and may contain privileged, confidential and/or insider information. 
If you have received this communication in error, please notify us 
immediately by replying to the message and deleting it from your computer. 
Any disclosure, copying, distribution, or the taking of any action concerning
the contents of this message and any attachment(s) by anyone other 
than the named recipient(s) is strictly prohibited.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Checkpoint VPN1-Edge connectivity problem, Andrew Shore
Next by Date:  RE: Help in VPN setup, Andrew Shore
Previous by Thread:  Re: Help in VPN setup, nhai
Next by Thread:  RE: Help in VPN setup, Andrew Shore
Indexes:  [Date] [Thread] [Top] [All Lists]