What Standalone Firewall? ComputerWith2XNic's or an off-shelf Router?

I would use a router to router vpn solution, I am a cisco guy so I prefer either cisco or linksys. You need to find out what is on the other side of the rj11 port I would do an ipconfig from the server and see if it is a publicly routable ip address or a NAT address. Something like the befsx41 http://www.linksys.com/products/product.asp?grid=34&scid=29&prid=433 should do the trick. Post the results of the ipconfig and we can see where to go from there.

Problem there is that I would need to go to both premises to install the befsx41 and break the existing VPN tunnell to setup the befsx41 one! I am by no means a VPN guru and would likely do more harm than good. What I would realy like is the:

(Idont know whats here - black box tactic)<----->(Nothing gets past me that is not VPN or requested WEB - firewall)<----->(internal network with VPN server - SBS) solution.

I guess the befsx41 would be a good start if it will allow a VPN server on the LAN to be reached from the WAN port without having to use the befsx41 VPN server.

Yes but you could use one of the cheaper vpn passthrough models. The current vpn in place is server to server?

I believe "The current vpn in place is server to server?" to be correct! The only experience I have had with VPN passthrough off-the-shelf router/firewalls is that the passthrough only works from a LAN based client computer OUT through the WAN port to a server on the WEB , not IN through the WAN across the router/firewall and to a LAN-based VPN server. I have to admit though that this was with an ActionTech router/firewall (I did say I hadn't played with the big toys did't I :) )
Please advise!

Then you could use the befsx41 and just do ipsec passthrough. If the tunnel is up and running currently, then it should pose no problem.

If the befsx41 will allow VPN IN through the WAN across the befsx41 and to a LAN-based VPN server then you have solved my problem without the need for me to build a pc housing moving parts (HD, Fan) that could breakdown. Have you ever done that with a befsx41?
I will test your idea ASAP on a test setup If it works I will post you the points.
Thanks, Ralph

P.S. ("""Have you ever done that with a befsx41?""")

I have connected to a vpn server from behind the linksys, and I have hosted from behind a linksys. I have never done both at the same time, everytime I have a linksys at both ends I setup the hardware router to router vpn.

RE "I have hosted from behind a linksys". FANTASTIC! What linksys model did you host a VPN behind?
I will buy the befsx41 and if I have any problems hosting from behind it I will buy the one you used to host a VPN behind yourself, assuming they are different.
I worried about this problem all day, I am hovering above the "Give this person the points now button", because you obviously have the solution.

Thanks, a VERY happy Ralph.

P.S. Sorry for dragging this out.

Well let's wait until the vpn is up and going. I have used the BEFSR41 As long as you will be connecting a single tunnel to a single tunnel it should go ok. I will be here with you until the tunnel is up and running. Did you do an ipconfig on the server yet?

I have to wait till 14:30 to get the command run for me and results returned as the member of staff (the most IT familiar one) I am dealing with is unavailable till then.
The second I get the results I will post them up.
Thanks for all your help ewtaylor, Ralph.

03:58AM PST (The displayed time of my post) = 12:58 on my clock. So just to clarify I mean 14:30 my time : )

No problem I am in EST

Following as an "IPCONFIG -ALL":

---------------------------------------------------------------------------------------

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

F:\Documents and Settings\Administrator>ipconfig -all

Windows 2000 IP Configuration

        Host Name . . . . . . . . . . . . : tc-sbs
        Primary DNS Suffix  . . . . . . . : taddcom.org
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : Yes
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : taddcom.org

Ethernet adapter WAN:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : 3Com Fast EtherLink 10/100Mb Bus-Mas
ter PCI Adapter
        Physical Address. . . . . . . . . : 00-A0-24-01-E4-58
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 213.166.80.186
        Subnet Mask . . . . . . . . . . . : 255.255.255.252
        Default Gateway . . . . . . . . . : 213.166.80.185
        DNS Servers . . . . . . . . . . . : 213.166.79.3
                                            213.166.79.210
                                            213.166.79.211

Ethernet adapter LAN:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Intel(R) PRO/100+ Server Adapter (PI
LA8470B)
        Physical Address. . . . . . . . . : 00-02-B3-3B-3D-CA
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.16.2
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . :
        DNS Servers . . . . . . . . . . . : 192.168.16.2
        Primary WINS Server . . . . . . . : 192.168.16.2

PPP adapter RAS Server (Dial In) Interface:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physical Address. . . . . . . . . : 00-53-45-00-00-00
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.16.100
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        Default Gateway . . . . . . . . . :
        DNS Servers . . . . . . . . . . . : 127.0.0.1

F:\Documents and Settings\Administrator>

---------------------------------------------------------------------------------------

Is this good news? Am I right in saying that because the WAN IP ADDRESS of the PPP RAS is 192.168.16.100 then there is something port-forwarding to this computer from the internet already?
I hope I can still use by black-box tactic!

How I overlooked the "Ethernet adapter WAN" I have no idea!

It looks like the server is multi homed (has 2 nic cards). Can you look at the back of this and confirm?

If so everything just got a lot easier. We can just plug in the router assign it a non routable ip address in the 10.x.x.x range and go with it.

According to the staff yes there are two nics.

Should be a piece of cake then.

Would you be kind enough to explain what you mean by this "assign it a non routable ip address in the 10.x.x.x range".

My understanding is the following:

# The BEFSR41 router will be setup as:

Ethernet adapter WAN:
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 213.166.80.186
        Subnet Mask . . . . . . . . . . . : 255.255.255.252
        Default Gateway . . . . . . . . . : 213.166.80.185
        DNS Servers . . . . . . . . . . . : 213.166.79.3
                                            213.166.79.210
                                            213.166.79.211

Ethernet adapter LAN:
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.16.0
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : - (I don't think this will be an option to set)
        DNS Servers . . . . . . . . . . . : (I don't think this will be an option to set)
        Primary WINS Server . . . . . . . : (I don't think this will be an option to set)

        FORWARD ANYTHING VPN TO 192.168.16.1
        OPEN REMOTE ADMINISTRATION TO MY STATIC IP ONLY

# The actual SBS Computer will be setup as:

Ethernet adapter WAN:
        Connection-specific DNS Suffix  . :
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.16.1
        Subnet Mask . . . . . . . . . . . : 255.255.255.252
        Default Gateway . . . . . . . . . : 192.168.16.0
        DNS Servers . . . . . . . . . . . : 192.168.16.0

Ethernet adapter LAN:
        Connection-specific DNS Suffix  . :
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.16.2
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . :
        DNS Servers . . . . . . . . . . . : 192.168.16.2
        Primary WINS Server . . . . . . . : 192.168.16.2

So I guess by "assign it a non routable ip address in the 10.x.x.x range"  there is a better way than mine.
Gulp! Would my setup details above even work?

Actually I just reread the whole thread and looked over all the settings. It would appear they have a firewall in place, or at least the potential to. SBS 2000 is bundled with ISA server http://www.microsoft.com/sbserver/techinfo/planning/2000/internetsecurity.asp Check and see if it is running if so then they are already using a firewall.

The staff are in a pickle about not having an external (to the SBS computer) firewall (management has decided it wants one).

I did some research on the "non routable ip address in the 10.x.x.x range" and presume you mean non-routable from outside the WAN. Because I am not a networker and more a programmer I am not familiar with the proper naming convention of things I have learnt on the way. I, for example, always use 192.*.*.* as internal IPs because I thought they were non-routable and reserved from the outside world but did not know 10.*.*.* was also in this set and therefore presumed you meant 10.*.*.* was non-routable from within the LAN giving the router some form of cleverly masked invisibility hence transparency from the SBS computer and hence solving the:
(I don’t know what’s here - black box tactic)<----->(Nothing gets past me that is not VPN or requested WEB - firewall)<----->(internal network with VPN server - SBS)
problem.

I now see that because the SBS computer has two nics in it, one for the WAN interface and one for the LAN interface I should be able to put the befsx41 between the SBS computer's WAN interface and the Wall socket that provides broadband to the office. I will need to alter the SBS computer's WAN interface to look for the befsx41's LAN interface and the befsx41's WAN interface to look for the connection provided by the wall socket.

As you can see, following on the convention apparently already used in the office of 192.168.16.* for internal IPs I have proposed 213.166.80.186 for the befsx41's WAN with 192.168.16.0 for its' LAN with and 192.168.16.1 for the SBS's WAN and 192.168.16.2 for its' LAN. The full details of my proposal are in the "04/02/2004 04:05PM PST" post. For the benefit of both myself and others that read this post for help in the future would you be kind enough to comment on the settings correctness and likely success?

Ralph.

The problem is you do not want your lan to have the same ip addressing scheme as the remote lan. This plays hell with subnet masking and routing. There are certain reserved ip blocks. 192.168.xxx.xxx, 172.16.xxx.xxx - 172.31.xxx.xxx 10.xxx.xxx.xxx subnet is another. Anything addressed using these ip addresses is only for local routing and will not pass out the gateway/router. The probelm you will run into is that in some cases more is not better, in other words 2 firewalls not necessarily better than 1 and will actually cause more problems than it is worth. You have 2 options

1. Convince management that the Microsoft  ISA server provides all the firewall protection that you need. The benefits of this are that since it is a Microsoft product you get better interoperability. It also speeds up web browsing by cacheing websites. It will cost you nothing since it is bundled with SBS. The reviews rated it as a good firewall http://www.serverwatch.com/stypes/servers/article.php/16337_1299821 is one such.

2. Turn off the ISA server portion of SBS plug in the external firewall. With this all the machines would point to the linksys router as the gateway. You would need to resetup vpn access to the firewall (since it is currently routing through 2 nics you would have to totally rip it out and start from scratch). You would need to configure the router for vpn pass through (not as hard as it sounds usually only just a few clicks of  the mouse). You would also need to readdress the network so that the 2 networks do not conflict.

Either way I will help you with the decision they make. From an administration and support standpoint it would be better for them if they left it as it is and just verified that ISA server is indeed running on the SBS. Let me know

As for the above setup you cannot assign an ip address of 192.168.16.0 to the router .0 and .255 are special ip addresses and cannot be used you would have to assign it as .1 the server as .2  and point to the linksys as a gateway you would also want to setup dhcp on the linksys and have it assign ip information, however you would need to set a reservation for the server ( pretty much making it a static ip address). Then we would have to configure the router to pass ipsec passthrough on the router and resetup the vpn tunnel from both sides.

Thanks for the very detailed response.
I have been away from the question for some time now as I have been researching what you have mentioned so as not to ask questions that would waste your time.

There is no way of convincing management that the built in SBS firewall is good enough for them as they have been informed by two different trusted sources, not me, that it is an external firewall they need. Oh boy, the comments we could both add just here!

I am therefore forced to take your option number 2 "Turn off the ISA server portion of SBS plug in the external firewall". With this I was very worried about "resetup VPN access", "totally rip it out and start from scratch" and finally "readdress the network so that the 2 networks do not conflict", hence the absence for vast quantities of reading and questions.
I now know that the office with the VPN server is the main office housing 10+ computers and there is not just 1 external VPN required but 2. Each of the two external offices that VPN in are home offices with only 1 computer each.
I will pause just there for your advice as I believe you may advise me to put a befsx41 on every VPN endpoint.

May I just ask though:
If I VPN link two offices together and one office has a computer on its LAN of 192.168.0.5 and the other office has a computer on its LAN with the IP 192.168.0.6 and both subnets were 255.255.255.0 could the two computers ping each other or does the sentence "Anything addressed using these IP addresses is only for local routing and will not pass out the gateway/router" mean they cannot communicate across a VPN?

OKay so at least you know which direction to head.  Actually the resetup the vpn is not that hard if you go hardware to hardware. You can start here http://www.linksys.com/support/top10faqs/BEFSX41/Setting%20up%20a%20VPN%20tunnel%20between%20two%20BEFSX41%20routers.asp You see from this link that the linksys routers support up to 2 vpn tunnels. Yes each endpoint should have it's own BEFSX41 router. The problem with them all being on the 192.168.0.xxx subnet is that it will think it is local lan routing. Easiest way to set it up is to make the home office 192.168.0.xxx and the satelite offices as 192.168.1.xxx and 192.168.2.xxx this is easy to setup with dhcp and the linksys routers. Since each home office has only 1 workstation it should be no problem with addressing. Here is a good workup on the private ip and what they do and what they are http://www.cse.ohio-state.edu/cgi-bin/rfc/rfc1918.html 

First of all, thank you so much for the continued and forthcoming support. Not only do you present the information clearly but your supporting URLs are providing me with the opportunity to attempt to research in depth what you are kind enough to teach.

I have just purchased a befsx41 for the main office but whilst in the store I began wondering how to connect the other two befsx41's to the standard broadband sockets that will be at the home-based, single computer, offices. The box reads, under "minimum requirements": "Cable or DSL Modem with Ethernet Connection and Internet Access". I find myself once again asking if you have 1 used such a device before with the befsx41 (I have only used USB ADSL modems directly onto a computer) and 2 what modem did you use with the befsx41? I am going to presume that the home ADSL connections are not cable.

I just couldn't get my head around using the befsx41 at a home address that is on ADSL.
UK ADSL is PPPOA, hence requiring a password. I have been wondering how it would be possible to get the befsx41 to communicate the username and password data it holds in its router across an Ethernet cable to the ADSL modem so that the modem can establish a broadband connection and parse it back to the befsx41?

This link appears to have my answer:
http://www.expansys.com/product.asp?code=110630
It appears that the modem can be smart enough to store and send its own username and password to establish a PPPOA ADSL connection and parse it out onto an RJ45 port that the befsx41 can connect to. That way the modem is not acting as a router so it shouldn't interfere with the befsx41's router and hence the full VPN capabilities of the befsx41 can be used.

What do you think?

I am setting up a testing platform and will post results ASAP.

Great!

Well this should have worked for him. If not I would be happy to continue troubleshooting it with him...

Through non related problems I have not finished setting up my testbed system with a friend. I would like to finish that and then post a comprehensive wording on how to do it all from scratch so others can benefit from all the help ewtaylor has given me. To allow the question to close I will award the, well deserved, points to ewtaylor (sorry for the delay).

If you are reading this for an answer then I will post the total report of how to do it at: http://81.130.194.47/ee/firewall-vpn-router-report.html
when I have finished it.

Ralph.

Thanks Ralph let me know if I can be of anymore help...