This is a multi-part message in MIME format.

--===============1963499301==
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_000A_01C6840D.8EE4ABF0"

This is a multi-part message in MIME format.

------=_NextPart_000_000A_01C6840D.8EE4ABF0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

This can be done but to give a proper answer we need more info.=20

=20

1. How does the landlord provide connectivity for the systems in the =
remote
office?=20

2. Are they on a VLAN:

a. off his Core Switch?

b. Off of the FW device

c. Do the have their own FW device connected direct to his Internet
connection.

3. How do the users in the Remote office Authentic? Do they have their =
own
Domain Controller/Network or are they using the Landlord=92s DC?

=20

=20

The simplest way would be to establish a site-to-site VPN tunnel in the =
FWs
then within those FW devices set the routing for that tunnel to be =
between
your HQ LAN and the 10.0.10.0 network only.=20

The problem with this is that it exposes your HQ network=92s routing =
info to
the landlord=92s network. You lose security control on the CA end of the
tunnel therefore security control of the tunnel. AND open your FW device =
and
network to =91internal=92 attack from the landlord=92s network.

=20

=20

The best way would to be to have the landlord install a switch between =
the
ISP connection and his FW. Then you provide a FW device and a Layer 3
enabled switch that would be used to connect to your workstations only =
to
connect to the =91public=92 switch. The landlord would have to =
=91loan=92 you one of
his Public IP Addresses to place on your FW Device or you could ask him =
to
obtain an additional 8 IP address block from his ISP for your use. Offer =
to
pay the monthly charges for these addresses; it shouldn=92t be more than =
about
$20/month.

Establish the site-to-site VPN tunnel to this new FW and setup the same
routing rules. You can then build a GRE tunnel between the HQ core =
switch
and the new switch in the remote office to pass routing information. You
should also place a DC in the remote office to allow them to authentic =
and
receive network policies locally to reduce the WAN auth traffic.=20

=20

=20

Sanford Reed=20
(V) 757.406.7067

_____ =20

From: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of =
Ratna
Thurairatnam
Sent: Sunday, May 28, 2006 4:47 PM
To: firewall-wizards@listserv.icsalabs.com
Subject: [fw-wiz] Site to siteVPN between public ip and private ip

=20

We have HQ in NYC and a remote office in CA, the users in CA office in
another companies's network(landloard is providing internet connection).

At present our CA user's PC are getting NATed ip (10.0.10.*) from =
landload's
network to connect to internet then they are using RDP to connect our =
NYC
office..

We have now bought a program which is not support to run on TS, so we =
now
have to giveup the TS and find the way to connect the CA to NYC.=20

=20

We now want to setup VPN.

is it possible to setup VPN, if our CA pix get private ip for it's =
external
interface?

thank you for your help in Advance.

Mutthu

=20

=20

_____ =20

Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great
<http://us.rd.yahoo.com/mail_us/tagli...rd.yahoo.com/=
evt
=3D39666/*http:/messenger.yahoo.com> rates starting at 1=A2/min.


------=_NextPart_000_000A_01C6840D.8EE4ABF0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

xmlns=3D"urn:schemas-microsoft-comfficeffice" =
xmlns:w=3D"urn:schemas-microsoft-comffice:word" =
xmlns:st1=3D"urn:schemas-microsoft-comffice:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40">


charset=3Diso-8859-1">

namespaceuri=3D"urn:schemas-microsoft-comffice:smarttags" =
name=3D"City"/>
namespaceuri=3D"urn:schemas-microsoft-comffice:smarttags"
name=3D"place"/>









style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>This can be done but to give a =
proper
answer we need more info. >>



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>>



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>1. How does the landlord provide
connectivity for the systems in the remote office? =
>>



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>2. Are they on a =
VLAN:>>



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>=A0=A0 a. off his Core =
Switch?>>



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>=A0=A0 b. Off of the FW =
device>>



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>=A0=A0 c. Do the have their own FW =
device connected
direct to his Internet connection.>>



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>3. How do the users in the Remote =
office Authentic?
Do they have their own Domain Controller/Network or are they using the =
Landlord’s
DC?>>



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>>



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>>



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>The simplest way would be to =
establish a site-to-site
VPN tunnel in the FWs then within those FW devices set the routing for =
that
tunnel to be between your HQ LAN and the 10.0.10.0 network only. =
>>



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>The problem with this is that it =
exposes
your HQ network’s routing info to the landlord’s network. =
You lose security
control on the CA end of the tunnel therefore security control of the =
tunnel. AND
open your FW device and network to ‘internal’ attack from =
the
landlord’s network.>>



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>>



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>>



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>The best way would to be to have =
the landlord
install a switch between the ISP connection and his FW. Then you provide =
a FW
device and a Layer 3 enabled switch that would be used to connect to =
your workstations
only to connect to the ‘public’ switch. The landlord would =
have to ‘loan’
you one of his Public IP Addresses to place on your FW Device or you =
could ask
him to obtain an additional 8 IP address block from his ISP for your =
use. Offer
to pay the monthly charges for these addresses; it shouldn’t be =
more than
about $20/month.>>



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Establish the site-to-site VPN =
tunnel to
this new FW and setup the same routing rules. You can then build a GRE =
tunnel
between the HQ core switch and the new switch in the remote office to =
pass
routing information. You should also place a DC in the remote office to =
allow them
to authentic and receive network policies locally to reduce the WAN auth =
traffic.
>>



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>>



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>>





lace w:st=3D"on"> size=3D2
color=3Dnavy face=3DArial> style=3D'font-size:10.0pt;font-family:Arial;
color:navy'>Sanford
lace>
color=3Dnavy face=3DArial> style=3D'font-size:10.0pt;font-family:Arial;
color:navy'> Reed
style=3D'color:navy'>

style=3D'font-size:10.0pt;
font-family:Arial;color:navy'>(V) =
757.406.7067
>>







size=3D3
face=3D"Times New Roman">






style=3D'font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:
size=3D2
face=3DTahoma>
firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com] style=3D'font-weight:bold'>On Behalf Of
Ratna =
Thurairatnam

Sent: Sunday, May 28, =
2006 4:47 PM

To:
firewall-wizards@listserv.icsalabs.com

Subject: [fw-wiz] Site to =
siteVPN
between public ip and private ip
>>





style=3D'font-size:
12.0pt'>>





style=3D'font-size:
12.0pt'>We have HQ in NYC and a remote office in CA, the users in CA =
office in
another companies's network(landloard is providing internet =
connection).>>







style=3D'font-size:
12.0pt'>At present our CA user's PC are getting NATed
ip (10.0.10.*) from landload's network to connect to internet =
then
they are using RDP to connect our NYC =
office..>>







style=3D'font-size:
12.0pt'>We have now bought a program which is not support to run on =
TS, so
we now have to giveup the TS and find the way to connect the CA to =
NYC. >>







style=3D'font-size:
12.0pt'> >>







style=3D'font-size:
12.0pt'>We now want to setup VPN.>>







style=3D'font-size:
12.0pt'>is it possible to setup VPN, if our CA pix get private ip for =
it's
external interface?>>







style=3D'font-size:
12.0pt'>thank you for your help in Advance.>>







style=3D'font-size:
12.0pt'>Mutthu>>







style=3D'font-size:
12.0pt'> >>







style=3D'font-size:
12.0pt'> >>





size=3D3
face=3D"Times New Roman">






style=3D'font-size:
12.0pt'>Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. =
href=3D"http://us.rd.yahoo.com/mail_us/taglines/postman7/*http:/us.rd.yah=
oo.com/evt=3D39666/*http:/messenger.yahoo.com">Great
rates starting at 1=A2/min.>>









------=_NextPart_000_000A_01C6840D.8EE4ABF0--


--===============1963499301==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards

--===============1963499301==--