Cascaded VPN

sandman42 · ‎10-03-2010

Hi,

I have two networks to connect via VPN as of this picture:

The rules are:

Client on LAN A must be able to connect to server on LAN C

Making a VPN between Firewall A and Firewall B is not a problem

Client must not connect to any host on LAN B, except for the outside interface of Firewall C.

How can I setup such a system, considering that I have control on all the three firewalls?

I've thought to make a VPN between Firewall A and B, then a VLAN between Firewall B and Firewall C.

Is there any better way to do that?

Thanks

Francesco

Jitendriya Athavale · ‎10-03-2010

tht should not be a problem at all

just terminate the vpn on site b firewall, keep the interesting traffic(crypto acl) as from net a to net c or net a to patted ip of net c on firewall c

within net c if you do not want few hosts to access net a you can use vpn filter or deny them is nat exempt as you cannot have a deny in crypto acl

eg

192.168.1.0 ------- A

192.168.2.0 ------- B

192.168.3.0 ------- C

vpn traffic - from 192.168.1.0 to 192.168.3.0 on site a firewall

vpn traffic - from 192.168.3.0 to 192.168.1.0 on site b firewall

if you want the access to be for a natted host on firewall c use that instead of 192.168.3.0 in vpn traffic

hope this helps

Namit Agarwal · ‎10-03-2010

Hi ,

I am assuming that the connectivity from Firewall B to LAN C is established, the Firewall B has routes for LAN C. Now we can establish a tunnel between Firewall A and Firewall B and the interesting traffic for this tunnel will be between A and C. On Firewall A the interesting traffic for the tunnel will be A to C and on the Firewall B the interesting traffic will be C to A. So now when on A side we initiate traffic for destination C it goes into the tunnel. If we initiate traffic for destination B the traffic will not go into the tunnel and A LAN cannot access B LAN.

Cheers,

Namit