Your encryption domain should be your hidden network - not your internet visible IP's. That would make your hidden IP's visible to the remote VPN site. Otherwise you are stuck with static NAT.
The VPN gateway's external IP needs to be seen by the remote VPN gateway. Yes, if you have a VPN and one of the machines gets compromised at one end then the other end could be vulnerable. Use your rules to specify which individual systems may access which other systems using which protocols. That might help a little. Think of Site to Site VPN like a leased line, even though you are using the public network. Your rules are ACL's. User authentication still needs to occur on the internal network and I like to have an IDS to monitor for "friendly fire" (attacks from "trusted" users or business partners.) Adam Adam Safier Global Systems & Strategies, Inc (GSS) 7000 Security Blvd, Suite 300 Baltimore, Md. 21244 (443) 436-6393 (410) 281-9193 (Main) [EMAIL PROTECTED] ----- Original Message ----- From: "Rick Brown" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, February 26, 2002 10:57 AM Subject: Site to site VPN > I have to connect via VPN to another site and I need > some advice/insight. Like everyone else, we have a > set number of public IP addresses. The VPN is going > to be two way (i.e. site A needs to access site B > hosts and site B needs to access site A hosts). I'm a > little fuzzy as to how to define the encryption > domain. Our firewall is doing a HIDE NAT using the > public address of the firewall. If I understand > things, if I use my entire public range as the > encryption domain, things should work but if a public > system is compromised they could potentially get VPN > access to the other site (right?). Would static > mappings get around this and, if so, would I just > define a portion of the public range as the encryption > domain? I'd like to not have to do static mappings so > that I don't use up a lot of IP addresses. Any help > would be appreciated. Thanks. > > __________________________________________________ > Do You Yahoo!? > Yahoo! Sports - Coverage of the 2002 Olympic Games > http://sports.yahoo.com > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
