Re: VPN question
From: Phillip Windell (_at_.)
Date: 02/11/04
- Next message: Phillip Windell: "Re: Server2003 VPN & Terminal Server"
- Previous message: Lanwench [MVP - Exchange]: "Re: Windows XP PCs lose their network drives"
- In reply to: lill: "Re: VPN question"
- Next in thread: lill: "Re: VPN question"
- Reply: lill: "Re: VPN question"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 11 Feb 2004 10:35:52 -0600
"lill" <lillanita@hotmail.com> wrote in message
news:#TQTcgH8DHA.2812@TK2MSFTNGP11.phx.gbl...
> But it is a fact that it might be interesting to use tunnels inside an
> internal network too.
I know, but as an illustration, it might be interesting to drive a
motorcycle up and down the hallway in your house, but that is not what it is
design for. There are so many ways out there to do this "right" why do you
want to spend so much time, effort, and creativity, to do it "wrong"?
> In my case I will like to have a Remote Access VPN
> from the remote client to the server running RRAS/ISA in the perimeter
> network. In addition to that, I want to have a server-to-server
> (host-to-host) VPN tunnel from servers running RRAS inside the internal
> network and the RRAS/ISA server in the perimeter network. The traffic
> from the remote clients are inspected by the RRAS/ISA server before it
> is forwarded to the security zone (subnet), through a new tunnel, to get
Sounds like a Back-to-back DMZ. You can't do what you think there either.
You have to run one Tunnel inside the other Tunnel to even get across a B2B
DMZ to begin with and there is no way to "inspect" the contents within the
Tunnel.
Read about B2B DMZs and VPN by searching with "DMZ" and "VPN" on
www.isaserver.org
Your intent to do this with firewalls is just simply wrong. Firewalls run
NAT along with the rest of what they do,...you don't want NAT...this is not
suitable for what you want to do. You control the content of internal
traffic by using routers (not firewalls) and subnets,...that's half the
reason such things exist,...that is what they are for. now if you find a
firewall that you can disable NAT and have it work like a router then that
would be fine. ISA won't work for the same reason,...it does "proxying"
(similar but different than NAT) and you don't want anything "proxying" the
requests between subnets in the private system, it creates a "trusted" and
"untrusted" subnet and which ever subnet is the lucky one to be considered
"untrusted" gets cut off at the knees and no longer functions as a LAN.
> I do know that security in the LAN is one thing, and Remote Access VPNs
> another. But I do need both in my case, so what I am trying to define is
> a scenario where both security issues are defined. I also notice that
Use Routers with ACLs between the subnets. You have not stated exactly what
kind of "unwanted" traffic you are wanting to "inspect" .....you may be
going through all this hassle for something that is really a non-issue
anyway....like for example, use a firewall to stop a virus when that is not
what stops viruses, AV software does that.
-- Phillip Windell [MCP, MVP, CCNA] www.wandtv.com
- Next message: Phillip Windell: "Re: Server2003 VPN & Terminal Server"
- Previous message: Lanwench [MVP - Exchange]: "Re: Windows XP PCs lose their network drives"
- In reply to: lill: "Re: VPN question"
- Next in thread: lill: "Re: VPN question"
- Reply: lill: "Re: VPN question"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
