10-03-2010 09:53 AM
Hi,
I have two networks to connect via VPN as of this picture:
The rules are:
Client on LAN A must be able to connect to server on LAN C
Making a VPN between Firewall A and Firewall B is not a problem
Client must not connect to any host on LAN B, except for the outside interface of Firewall C.
How can I setup such a system, considering that I have control on all the three firewalls?
I've thought to make a VPN between Firewall A and B, then a VLAN between Firewall B and Firewall C.
Is there any better way to do that?
Thanks
Francesco
10-03-2010 10:19 AM
tht should not be a problem at all
just terminate the vpn on site b firewall, keep the interesting traffic(crypto acl) as from net a to net c or net a to patted ip of net c on firewall c
within net c if you do not want few hosts to access net a you can use vpn filter or deny them is nat exempt as you cannot have a deny in crypto acl
eg
192.168.1.0 ------- A
192.168.2.0 ------- B
192.168.3.0 ------- C
vpn traffic - from 192.168.1.0 to 192.168.3.0 on site a firewall
vpn traffic - from 192.168.3.0 to 192.168.1.0 on site b firewall
if you want the access to be for a natted host on firewall c use that instead of 192.168.3.0 in vpn traffic
hope this helps
10-03-2010 10:51 AM
Hi ,
I am assuming that the connectivity from Firewall B to LAN C is established, the Firewall B has routes for LAN C. Now we can establish a tunnel between Firewall A and Firewall B and the interesting traffic for this tunnel will be between A and C. On Firewall A the interesting traffic for the tunnel will be A to C and on the Firewall B the interesting traffic will be C to A. So now when on A side we initiate traffic for destination C it goes into the tunnel. If we initiate traffic for destination B the traffic will not go into the tunnel and A LAN cannot access B LAN.
Cheers,
Namit
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide