RE: [gb-users] Allowing access from PSN to PROTECTED Network

Mike Burden Mon, 06 Jan 2003 10:42:33 -0800

What's the netmask on your PSN Interface?  If you're subnetting
the 10.10.x.x address space, this should be fine.  If not, it
won't work because 10.10.2.50 and 10.10.2.50 would be on the
same logical network.


Also, I'm a little leery about accept all ports/protocols.
It's much better to just accept the ports/protocols for just
the services you need, otherwise you've essentially elminiated
security between the PSN and the PRO, which is the whole point
of having a PSN in the first place.


To virtualize a bit:

PSN (A1.B1.C1.x/24)
        |
        |
  GB PSN Interface & Alias
(A1.B1.C1.D1/24 & A1.B1.C1.D2/36)
        |
  GB PRO Interface
 (A2.B2.C2.D3/24)
        |
        |
Server on PRO (A2.B2.C2.D4)


You should be able to access Web Services on "Server on PRO" with:
  Inbound Tunnels
Index  Protocol  From IP Address       Port   To IP Address         Port
Options
-----  --------  --------------------  -----  --------------------
-----  -----------
1      TCP       A1.B1.C1.D2           80     A2.B2.C2.D4           80
filter


Or access DNS Services on "Server on PRO" with:
  Inbound Tunnels
Index  Protocol  From IP Address       Port   To IP Address         Port
Options
-----  --------  --------------------  -----  --------------------
-----  -----------
1      UDP       A1.B1.C1.D2           53     A2.B2.C2.D4           53
filter



I have used class "C" networks as examples but this would of
course work with any class or subclass, as long as the PSN and
PRO work out to be separate logical subnets.

Also, you can limit access to the tunnel to specific hosts on
the PSN by using a Remote Access Filter instead of selecting
the "Automatic Accept All" option on the Tunnel.


Mike Burden
Lynk Systems
http://www.lynk.com
(616)532-4985
[EMAIL PROTECTED]


> -----Original Message-----
> From: Randy Haley [mailto:[EMAIL PROTECTED]]
> Sent: Monday, January 06, 2003 12:07 PM
> To: Mike Burden
> Subject: RE: [gb-users] Allowing access from PSN to PROTECTED Network
>
>
> Let me see if I have this straight.
>
> If I create an alias to the box on my Protected network:
>
> Name: Test
> Interface: PSN
> IP Address: 10.10.2.50
> Netmask: 255.255.255.255
>
> And then create an inbound tunnel:
>
> Protocol: ALL
> FROM IP ADDRESS 10.10.2.50
> PORT: 0
>
> TO IP ADDRESS 10.10.20.6
> PORT: 0
>
> And select Automatic accept all filter.
>
> This should work? Or have I missed a step?
> I am accepting all filters long enough to run the audit which
> will take 5
> minutes to run on all the servers on my PSN. I will then
> uncheck the option
> box and save.
>
>
>
> -----Original Message-----
> From: Mike Burden [mailto:[EMAIL PROTECTED]]
> Sent: Monday, January 06, 2003 10:42 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [gb-users] Allowing access from PSN to PROTECTED Network
>
>
> You need to add a tunnel from the PSN address (or an alias) to
> the server on the PRO, and then filter access to the source of
> the tunnel (the address or alias on the PSN).   The hosts on
> the PSN will then access the host on the PRO using the address
> or alias on the PSN.
>
> Note that we just did this question on 12/18/2002 (See the thread
> "Pro to PSN?")
>
> Mike Burden
> Lynk Systems
> http://www.lynk.com
> (616)532-4985
> [EMAIL PROTECTED]
>
>
> > -----Original Message-----
> > From: Randy Haley [mailto:[EMAIL PROTECTED]]
> > Sent: Monday, January 06, 2003 11:32 AM
> > To: [EMAIL PROTECTED]
> > Subject: [gb-users] Allowing access from PSN to PROTECTED Network
> >
> >
> > I need to "temporarily" add a filter that will allow any
> > computer on my PSN
> > access to one computer on my protected network. This is so I
> > can run an
> > inventory audit on the machines on my PSN. I can then disable
> > the filter
> > after I am done and keep it until I need it again.
> >
> > What I am getting is the following:
> >
> > NAT: WARNING: Attempt by PSN to access a protected network. TCP
> > (10.10.2.X:4553)=>(10.10.1.X:0)=>(10.10.20.X:139)
> >
> > Any help would be apprectiated.
> >
> > Randy Haley
> > [EMAIL PROTECTED]
> > East Texas Baptist University
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > To subscribe to the digest version first unsubscribe, then
> >  e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> > Archive of the last 1000 messages:
> >  http://www.mail-archive.com/[email protected]
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> To subscribe to the digest version first unsubscribe, then
>  e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> Archive of the last 1000 messages:
>  http://www.mail-archive.com/[email protected]

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
To subscribe to the digest version first unsubscribe, then
 e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Archive of the last 1000 messages:
 http://www.mail-archive.com/[email protected]

RE: [gb-users] Allowing access from PSN to PROTECTED Network

Reply via email to