Cascaded VPN

Unanswered Question
Oct 3rd, 2010
User Badges:

Hi,


I have two networks to connect via VPN as of this picture:


VPN.jpg

The rules are:


Client on LAN A must be able to connect to server on LAN C

Making a VPN between Firewall A and Firewall B is not a problem

Client must not connect to any host on LAN B, except for the outside interface of Firewall C.


How can I setup such a system, considering that I have control on all the three firewalls?


I've thought to make a VPN between Firewall A and B, then a VLAN between Firewall B and Firewall C.


Is there any better way to do that?


Thanks


Francesco

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jitendriya Athavale Sun, 10/03/2010 - 10:19
User Badges:
  • Cisco Employee,

tht should not be a problem at all


just terminate the vpn on site b firewall, keep the interesting traffic(crypto acl) as from net a to net c or net a to patted ip of net c on firewall c


within net c if you do not want few hosts to access net a you can use vpn filter or deny them is nat exempt as you cannot have a deny in crypto acl


eg


192.168.1.0 ------- A

192.168.2.0 ------- B

192.168.3.0 ------- C


vpn traffic - from 192.168.1.0 to 192.168.3.0 on site a firewall

vpn traffic - from 192.168.3.0 to 192.168.1.0 on site b firewall


if you want the access to be for a natted host on firewall c use that instead of 192.168.3.0 in vpn traffic


hope this helps

Namit Agarwal Sun, 10/03/2010 - 10:51
User Badges:
  • Cisco Employee,

Hi ,


I am assuming that the connectivity from Firewall B to LAN C is established, the Firewall B has routes for LAN C. Now we can establish a tunnel between Firewall A and Firewall B and the interesting traffic for this tunnel will be between A and C. On Firewall A the interesting traffic for the tunnel will be A to C and on the Firewall B the interesting traffic will be C to A. So now when on A side we initiate traffic for destination C it goes into the tunnel. If we initiate traffic for destination B the traffic will not go into the tunnel and A LAN cannot access B LAN.


Cheers,


Namit

Actions

This Discussion