VPN Tunnel Termination Points

[JoeBloggssss]

Hi,

I have a quick question. To the best of my understanding, a VPN can be terminated at the edge router, firewall, or VPN appliance (Cisco Secure VPN Concentrator or Nokia device), I am currently aware all these devices are interporable as they confirm to standards for IKE and IPSEC phases, I have also read up on VPDN for dialup. My question is Cisco routers are perfered to Nokia devices as a more cost effective solution with enhanced routing and switching capabilites. I read that due to the nature of the IPSEC protocol is can not traverse a NAT device, so if I want VPN-1 to handle my vpns and act as termination points but have a router sitting in front of my enforcement module, how can I do this? What it the vpn design you guys usually implement, I assume you host VPN services with a DMZ?

 

[ChrisAC]

In most cases the router would not perform NAT in front of the firewall enforcement point. Genrally (and I'm speaking from the point of view of what I normally configure) a security enforcement point would perform NAT, firewall security and be a VPN endpoint to the router that connects the firewall to the internet/WAN etc would simply route that traffic, not NAT it.

Of course, you can do edge filtering on a router without having to perform NAT but I usually leave the router pretty much open and handle all security on the gateway/firewall so that is also the VPN endpoint.

Also, notmally we do not perform NAT between VPN networks but sometimes private networks clash on IP address schemes so we have a couple where VPN traffic is NATed and it works perfectly well.

Chris.



**********************
Chris A.C, CCNA, CCSA
**********************

 

[JoeBloggssss]

Hi Chris,

I am trying to get my head round this. So how does the cisco router forward internally to the gateway without natting. What IP addresses would you use on the interfaces so that it finds it's way to the gateway?

 

[JoeBloggssss]

Hi Chris,

I am trying to get my head round this. So how does the cisco router forward internally to the gateway without natting. What IP addresses would you use on the interfaces so that it finds it's way to the gateway? I mean don;t you need a sebnet between the router and firewall? ANy help would be great.

 

[JoeBloggssss]

Chris, If I dont NAT at the edge router. I assume I will have to assign the primary public IP to the router's external interface, then one of the public block's IP to router's internal interface and the firewall's external interface? Is this not wasteful of the router external and internal IP addresses as I can not use them?

 

[ChrisAC]

So how does the cisco router forward internally to the gateway without natting.

Traffic to the IP range is routed to the router which connects to the firewall. A router can route packets without having to NAT them.

We just assign the first IP address from the allocation to the ethernet port of the router. The firewall then connects to that via the WAN port with the next available address.

The WAN link on the router can either be a private IP to connect to another device or it can be another /30 IP range or on leased lines we use IP unnumbered.

LAN<-->[fwLAN][fwWAN]<-->[router_Eth][router_WAN]<->internet

All other global IP's are then configured for NAT to internal servers on the firewall.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[JoeBloggssss]

Hi Chris,

Just a quick question, why do you perfer to perform NAT on the firewall and not the edge router? Is it becuase of functionality of CP. Thinking about it would it not place more load on the already resource intersive firewall, and does the platform really scale, Nokia is very expenese for high end models to provide the scalability needed. Or from a security standpoint does NATing on the edge router cause an issue with the decrease in security? Thanks

 

[ChrisAC]

Having the firewall do NAT does not cause any significant load on the box. Also, if we did NAT on the router it could cause problems with the firewall (like being a VPN endpoint) and so it makes much more sense to do this on the firewall itself. Thirdly, the NAT rules also form part of the security and Firewall-1 is very good at managing NAT, more so that a router. Most firewall devices integrate NAT as part of the security. For example, NAT is the basis of the way that the Pix firewall works. No traffic is passed that has not being NATed by the firewall (doesn't have an xlate slot).

It just makes perfect sense to use all the facilities of the firewall and let it do what it was designed to do. Let the router route and the firewall look after security and NAT (as well as some other things).

If you work with Firewall-1, have a close look at the product and look at how NAT can be used in the security policy and how you can manage it in Smart Dashboard. You will see that it makes perfect sense.

Chris.


**********************
Chris A.C, CCNA, CCSA
**********************

 

[JoeBloggssss]

Hi,

I agree with what you say regarding the enhanced functionality of Check Point. However, Check Point and other cisco and non-security solutions offer NAT-T, which encapsulates the IPSEC traffic so it can traverse NAT devices with invalidating the packet, thus, the router would not need to be the VPN termination endpoint. And yes, I have worked with automated rules for network objects and like the functionality of ConnectControl when using "other" for load balancing. So yes, you are right from my cuurent understanding.


Christopher McGill
CCSA, CCNA, MCP

 

[ChrisAC]

Well, devices usually support NAT-T to allow VPN clients from behind those firewalls to connect to other firewalls and create client to site VPNs. For example, when I'm out on a customers site, I'm usually behind their firewall and I use a Cisco VPN client to connect to my office so my client has to support NAT-T to allow that connection to pass through the firewall.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************