Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Routing a small office that uses Extranet

10 views
Skip to first unread message

ME

unread,
Mar 21, 2003, 7:40:52 PM3/21/03
to
Current Network Config:

I have about 15 host computers that establish their own Nortel Extranet (Bay
networks, IPSEC) VPN session with a Xerox Extranet Server. Each host must
use their own username & password to establish identity with Xerox (we are
Agents, we don't make the rules, we just have follow them.). Currently each
pc is using its own Public IP and is connected via a cisco 2500(base model)
router.

What I would like to accomplish:
I would like to set up FreeBSD firewall and put the hosts on a Private Lan
using the firewall as a router. I know that NAT will not allow this kind of
traffic (We tried it. Only one host could connect at any given time, that
can't work. Setting up a constant tunnel with Xerox is also out of the
question.). I am a unix and routing NEWBIE(idiot actually) ! There are
tons of IPForward/gateways/routing type options what would be the best for
my situation given that we have a budget of $0.00 and demand for *some* kind
of firewall. Mostly, it must be able to pass IPSEC. The cisco router seems
to have no problems, but then, its a router. Are there any options?

Thanks,

Ignorant and dumbfounded,
Matt


Ean Kingston

unread,
Mar 22, 2003, 3:31:12 PM3/22/03
to
ME wrote:

Keep the public addresses on the internal desktop. Don't use NAT. Put in a
packet filtering firewall and configure the rules to allow IPSec. There are
plenty of documents on the web to firewall IPSec. At a high level, you will
wind up with something like this:


----Your Office Network---- (say addresses are 9.9.9.0/27)
|
| (say 9.9.9.1)
Firewall
| (9.9.10.2)
|
| (9.9.10.1)
ISP_ROUTER
|
V
INTERNET
|
|
Big_company_with_IPSEC_server

Obviously the 9.9.9/27 and 9.9.10.* would be assigned by your ISP.

The big deal about IPSec is that it includes the host address in it's
authentication so if the traffic doesn't come from the address found in the
authentication header, it isn't allowed in. This is why you can't run IPSec
through a NAT firewall.

--
due to a significant increase in scams being sent to my e-mail address, I am
no longer makinging it available for direct replies.

0 new messages