BAFP
asked on
Configure Software and Hardware Firewall - HELP PLEASE!
Hello Experts!
I have a software firewall which is a Kerio Winroute Firewall. It runs all my traffic rules for protection to the LAN (the Lan IP is 192.168.0.xxx) - It also runs content filtering. The firewall runs on WIndows Server 2003 SP2 and has 2 NICs.
I now need to host IPSec VPN Tunnels to branch offices and also need to beef up my security at the HQ end.
I have a Netgear firewall - its a FVS338 Prosafe firewall.
I want to configure the Netgear firewall to terminate the VPN Tunnels (as the Kerio Firewall cant do this) which will be initiated from remote offices (single users) using Draytek routers. BUT I want to keep my rules on the software firewall.
If i connect it all up i guess this is how it would be:
Netgear firewall connects to Broadband modem - ip address is = xxx.xxx.xxx.xxx (The netgear firewall runds DHCP and is then the gateway for the interface connecting to it - i.e the NIC from the software firewall)
My software firewall then connects to the netgear firewall - IP address is 192.168.1.2, subnet is 255.255.255.0 (provided by DHCP).
As the server runnning the software firewall has 2 Network cards the second network card connects to the LAN - ip address 192.168.0.1 - subnet 255.255.255.0 (gateway IP is blank).
The questions i now have are:
1. Will this setup work?
2. Will the VPN clients be able to access my LAN? (this is v. important)
3. I am basically using the hardware firewall to beef up security and forward all traffic to ip address 192.168.1.2 (which is the internet NIC for the software firewall).
Please help as im stuck and confused.
If you need any more info please do not hesitate to ask.
Many thanks for your help in advance.
I have a software firewall which is a Kerio Winroute Firewall. It runs all my traffic rules for protection to the LAN (the Lan IP is 192.168.0.xxx) - It also runs content filtering. The firewall runs on WIndows Server 2003 SP2 and has 2 NICs.
I now need to host IPSec VPN Tunnels to branch offices and also need to beef up my security at the HQ end.
I have a Netgear firewall - its a FVS338 Prosafe firewall.
I want to configure the Netgear firewall to terminate the VPN Tunnels (as the Kerio Firewall cant do this) which will be initiated from remote offices (single users) using Draytek routers. BUT I want to keep my rules on the software firewall.
If i connect it all up i guess this is how it would be:
Netgear firewall connects to Broadband modem - ip address is = xxx.xxx.xxx.xxx (The netgear firewall runds DHCP and is then the gateway for the interface connecting to it - i.e the NIC from the software firewall)
My software firewall then connects to the netgear firewall - IP address is 192.168.1.2, subnet is 255.255.255.0 (provided by DHCP).
As the server runnning the software firewall has 2 Network cards the second network card connects to the LAN - ip address 192.168.0.1 - subnet 255.255.255.0 (gateway IP is blank).
The questions i now have are:
1. Will this setup work?
2. Will the VPN clients be able to access my LAN? (this is v. important)
3. I am basically using the hardware firewall to beef up security and forward all traffic to ip address 192.168.1.2 (which is the internet NIC for the software firewall).
Please help as im stuck and confused.
If you need any more info please do not hesitate to ask.
Many thanks for your help in advance.
ASKER
Does the IP Address for the VPN Client's NIC need to be on a different subnet or does the VPN IP Address need to be on a different subnet?
If i use a second IP for VPN Only traffic - and if i block all the other traffic on the hardware firewall then it will block all traffic to the Software firewall - wont it? So all i will then have is VPNs but nothing else i.e. no Incomming HTTP or Terminal Services connections?
If i use a second IP for VPN Only traffic - and if i block all the other traffic on the hardware firewall then it will block all traffic to the Software firewall - wont it? So all i will then have is VPNs but nothing else i.e. no Incomming HTTP or Terminal Services connections?
Ok lets say your ISP gave you 5 IPs 64.85.2.1 - 64.85.2.6.
You would assign your Software Firewall 64.85.2.2
You would assign your Hardware Firewall 64.85.2.3
Your Internal IP Address would be 192.168.0.XXX
Remote Office 1 would have an External IP Address of 24.96.171.35 (Different Location so Different IPs)
Remote Office 1 would have an Internal IP Address of 192.168.11.XXX
Remote Office 2 would have an External IP Address of 24.96.195.26
Remote Office 2 would have an Internal IP Address of 192.168.12.XXX
And so on. Your External IPs will all be different.
You will setup your VPN from your remote offices to connect to 64.85.3.3 (Your Hardware Firewall)
You would then route all other traffic to your software firewall.
You would assign your Software Firewall 64.85.2.2
You would assign your Hardware Firewall 64.85.2.3
Your Internal IP Address would be 192.168.0.XXX
Remote Office 1 would have an External IP Address of 24.96.171.35 (Different Location so Different IPs)
Remote Office 1 would have an Internal IP Address of 192.168.11.XXX
Remote Office 2 would have an External IP Address of 24.96.195.26
Remote Office 2 would have an Internal IP Address of 192.168.12.XXX
And so on. Your External IPs will all be different.
You will setup your VPN from your remote offices to connect to 64.85.3.3 (Your Hardware Firewall)
You would then route all other traffic to your software firewall.
ASKER
Oh i see what you are saying - but is there a way to have it all setup under one IP Address at all?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi All
Thanks for your input - in the end i didnt get this working. But your help was much appreciated.
Thanks again
Thanks for your input - in the end i didnt get this working. But your help was much appreciated.
Thanks again
Make sure that your outside VPN Clients are on a different subnet (192.168.10.XXX). The conflict will hose your network.