|
|
Question : Problem: configuration setting up VPN device behind PIX
|
|
Hello Experts,
I'm trying to implement a new NetGear SSLVPN312 into my existing network. I'd like the VPN cocentrator to sit behind my PIX 506E firewall. I've seen some diagrams of this setup, but I am not exactly sure how to set thiis up. Is it as easy as setting up static NAT?
Can anyone please provide any recomendations?
Thank you in advance
|
Answer : Problem: configuration setting up VPN device behind PIX
|
|
You're exactly right. For example, if you're internal network is 192.168.1.0/24, and the new Netgear VPN network for the remote clients is 192.168.2.0/24, then you would have to have some way of directing your traffic to the Netgear to get to the 192.168.2.0/24 network.
However, you will not be able to use the PIX to do this since the PIX is not a router. There is an immutable rule in the PIX that disallows traffic entering an interface to exit that same interface, so even if you put in a "route inside" statement, the traffic wouldn't make it back to the Netgear.
You have two options:
1. Use a true layer 3 device (router) with a static route directing traffic destined for 192.168.2.0/24 to the inside interface of the Netgear, or 2. Put in a static route on each device that does the same thing as option 1 above.
I've had this situation before and I've solved it both ways. If you have an internal router, that is the best way to do it. If you don't have one, then you may consider putting in a static route just on servers and other shared resources that the Netgear VPN clients will need to talk to. If the Netgear VPN clients don't need to get to all of the workstations, then you'll only need to put in a static route on the servers and anything else they need to access.
Hope this helps...
|
|
|
|