FirewallWizards
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [fw-wiz] incoming NAT/PATs for VPN users

from [kevin horvath] [Permanent Link][Original]
To: "Firewall Wizards Security Mailing List" <firewall-wizards@listserv.icsalabs.com>
Subject: Re: [fw-wiz] incoming NAT/PATs for VPN users
From: "kevin horvath" <kevin.horvath@gmail.com>
Date: Sat, 17 Feb 2007 21:42:17 -0500
Delivered-to: sp-com-lists@consult.net
Delivered-to: fwwizards-list2@consult.net
Delivered-to: firewall-wizards@listserv.icsalabs.com
In-reply-to: <343aa4f80702161441g35420e54xe4a5cdec0fb78997@mail.gmail.com>
List-archive: <https://listserv.icsalabs.com/pipermail/firewall-wizards>
List-help: <mailto:firewall-wizards-request@listserv.icsalabs.com?subject=help>
List-id: Firewall Wizards Security Mailing List <firewall-wizards.listserv.icsalabs.com>
List-post: <mailto:firewall-wizards@listserv.icsalabs.com>
List-subscribe: <https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards>, <mailto:firewall-wizards-request@listserv.icsalabs.com?subject=subscribe>
List-unsubscribe: <https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards>, <mailto:firewall-wizards-request@listserv.icsalabs.com?subject=unsubscribe>
References: <3c4611bc0702091350y41baaf8dwfe932f74ed612b0e@mail.gmail.com> <343aa4f80702161441g35420e54xe4a5cdec0fb78997@mail.gmail.com>
Reply-to: Firewall Wizards Security Mailing List <firewall-wizards@listserv.icsalabs.com>
Sender: firewall-wizards-bounces@listserv.icsalabs.com
what kind of vpn will this be?  I am assuming it will be a site to site then you would most likely be doing NAT exemption in which there will be no nating.  Then you would use your crypto access list to permit or deny who is allowed to access whatever.

On the other hand with VPN's aside and company B was coming from say the internet on your untrusted interface then you could do either port redirection or static nat (this would be alot of nat statements).   Or if company B is coming from a different interface (none publically routed interface that is) then you could do policy based NAT such as NAT0 with an access-list.  this will allow you to make one NAT statement allowing many users (such company B) from a lower trusted interface to a more trusted interface (company A).  I guess this would be your "magic of networking". 

Hope this helps....if you need further explanation then let me know.

KMH

On 2/16/07, James < jimbob.coffey@gmail.com> wrote:
On 2/10/07, Brian Loe < knobdy@gmail.com> wrote:
> Lets say company A has a customer, company B. Company A needs to
> provide access to several (lets say many) resources within its network
> to a thousand or so employees at company B. Seems to me that you could
> simply PAT all of company B's connections when they arrive and the
> magic of networking should get them routed to the resources you've
> allowed them and back without any problem. Is there something I'm
> missing here?
>
> Is an incoming PAT not available on, for instance, an ASA? What about
> a PIX at 6.x or 7.x? What about incoming NAT pools for over a thousand
> possible users? Anything change if they're physically coming in on a
> DMZ port as opposed to the outside port - and needing access to
> resources in another, lower DMZ port (don't ask why a VPN customer
> would be trusted more than company A's web servers, that's just how it
> is in this virtual company)?

I think what you are after is outside or bidirectional nat.
available in pix > 6.2 and asa

http://snipurl.com/1aho9

--
jac
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [fw-wiz] incoming NAT/PATs for VPN users, James
Next by Date:  Re: [fw-wiz] TFTP over vpns, Mathew Want
Previous by Thread:  Re: [fw-wiz] incoming NAT/PATs for VPN users, James
Next by Thread:  [fw-wiz] Need help configuring client-side VPN to Cisco 2801, Mike Leone
Indexes:  [Date] [Thread] [Top] [All Lists]