--===============0979661992==
Content-Type: multipart/alternative; boundary="0-1619347303-1149469147=:40329"
Content-Transfer-Encoding: 8bit

--0-1619347303-1149469147=:40329
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

They have NAT/Firewall device. I do not know whether the device passthrough ipsec.
They have their own DC, but our PC is not part of their Domain, beucaus we use only RDP right now.
the IT admin says that he has a spare public IP,




Sanford Reed wrote:
v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);} .shape {behavior:url(#default#VML);} st1\:*{behavior:url(#default#ieooui) } This can be done but to give a proper answer we need more info.

1. How does the landlord provide connectivity for the systems in the remote office?
2. Are they on a VLAN:
a. off his Core Switch?
b. Off of the FW device
c. Do the have their own FW device connected direct to his Internet connection.
3. How do the users in the Remote office Authentic? Do they have their own Domain Controller/Network or are they using the Landlord’s DC?


The simplest way would be to establish a site-to-site VPN tunnel in the FWs then within those FW devices set the routing for that tunnel to be between your HQ LAN and the 10.0.10.0 network only.
The problem with this is that it exposes your HQ network’s routing info to the landlord’s network. You lose security control on the CA end of the tunnel therefore security control of the tunnel. AND open your FW device and network to ‘internal’ attack from the landlord’s network.


The best way would to be to have the landlord install a switch between the ISP connection and his FW. Then you provide a FW device and a Layer 3 enabled switch that would be used to connect to your workstations only to connect to the ‘public’ switch. The landlord would have to ‘loan’ you one of his Public IP Addresses to place on your FW Device or you could ask him to obtain an additional 8 IP address block from his ISP for your use. Offer to pay the monthly charges for these addresses; it shouldn’t be more than about $20/month.
Establish the site-to-site VPN tunnel to this new FW and setup the same routing rules. You can then build a GRE tunnel between the HQ core switch and the new switch in the remote office to pass routing information. You should also place a DC in the remote office to allow them to authentic and receive network policies locally to reduce the WAN auth traffic.


Sanford Reed
(V) 757.406.7067


---------------------------------

From: firewall-wizards-bounces@listserv.icsalabs.com [mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of Ratna Thurairatnam
Sent: Sunday, May 28, 2006 4:47 PM
To: firewall-wizards@listserv.icsalabs.com
Subject: [fw-wiz] Site to siteVPN between public ip and private ip


We have HQ in NYC and a remote office in CA, the users in CA office in another companies's network(landloard is providing internet connection).

At present our CA user's PC are getting NATed ip (10.0.10.*) from landload's network to connect to internet then they are using RDP to connect our NYC office..

We have now bought a program which is not support to run on TS, so we now have to giveup the TS and find the way to connect the CA to NYC.



We now want to setup VPN.

is it possible to setup VPN, if our CA pix get private ip for it's external interface?

thank you for your help in Advance.

Mutthu






---------------------------------

Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1˘/min.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards


__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
--0-1619347303-1149469147=:40329
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

They have NAT/Firewall device. I do not know whether the device passthrough ipsec.
They have their own DC, but our PC is not part of their Domain, beucaus we use only RDP right now.
the IT admin says that he has a spare public IP,
 
 


Sanford Reed <sanford.reed@cox.net> wrote:
fficeffice" />ffice:smarttags"> namespaceuri="urn:schemas-microsoft-comffice:smarttags">
face=Arial color=navy size=2>This can be done but to give a proper answer we need more info. >>
>
1. How does the landlord provide connectivity for the systems in the remote office? >>
2. Are they on a VLAN:>>
   a. off his Core Switch?>>
color=navy size=2>   b. Off of the FW device>>
   c. Do the have their own FW device connected direct to his Internet connection.>>
3. How do the users in the Remote office Authentic? Do they have their own Domain Controller/Network or are they using the Landlord’s DC?>>
>
>
The simplest way would be to establish a site-to-site VPN tunnel in the FWs then within those FW devices set the routing for that tunnel to be between your HQ LAN and the 10.0.10.0 network only. >>
The problem with this is that it exposes your HQ network’s routing info to the landlord’s network. You lose security control on the CA end of the tunnel therefore security control of the tunnel. AND open your FW device and network to ‘internal’ attack from the landlord’s network.>>
>
class=MsoNormal>>
The best way would to be to have the landlord install a switch between the ISP connection and his FW. Then you provide a FW device and a Layer 3 enabled switch that would be used to connect to your workstations only to connect to the ‘public’ switch. The landlord would have to ‘loan’ you one of his Public IP Addresses to place on your FW Device or you could ask him to obtain an additional 8 IP address block from his ISP for your use. Offer to pay the monthly charges for these addresses; it shouldn’t be more than about $20/month.>>
Establish the site-to-site
VPN tunnel to this new FW and setup the same routing rules. You can then build a GRE tunnel between the HQ core switch and the new switch in the remote office to pass routing information. You should also place a DC in the remote office to allow them to authentic and receive network policies locally to reduce the WAN auth traffic. >>
>
>
ffice:smarttags" />lace w:st="on">Sanfordlace> face=Arial color=navy size=2> Reed
(V) 757.406.7067>>

From: firewall-wizards-bounces@listserv.icsalabs.com [mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of Ratna Thurairatnam
Sent: Sunday, May 28, 2006 4:47 PM
To: firewall-wizards@listserv.icsalabs.com
Subject: [fw-wiz] Site to siteVPN between public ip and private ip
>>
>
We have HQ in NYC and a remote office in CA, the users in CA office in another companies's network(landloard is providing internet connection).>>
At present our CA user's PC are getting NATed ip (10.0.10.*) from landload's network to connect to internet then they are using RDP to connect our NYC
office..>>
We have now bought a program which is not support to run on TS, so we now have to giveup the TS and find the way to connect the CA to NYC. >>
 >>
We now want to setup VPN.>>
is it possible to setup VPN, if our CA pix get private ip for it's external interface?>>
thank you for your help in
Advance.>>
Mutthu>>
 >>
 >>

Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at
1˘/min.
>>