?
Solved

Remotes are not behind our PAT and can't get to customers.

Posted on 2010-09-13
5
Medium Priority
?
341 Views
Last Modified: 2013-11-16
We have a need to have a few of our customers allow our PAT fw address in on a specific port to access their env and do some maint to a proprietary product.

Our remote users, aren't represented by that same IP PAT address when they are trying to hit those customers.  We have a WG firebox e550 and using sslvpn with the remotes.  Right now I have them vpn in and rdping to a desktop in-house to then hit the customer's site.

I'm looking for another way to get them gain access to the customers without having to hit/use a mahcine in-house first.  I cannot think of any correct, if there is such a thing, IP spoofing or mimicking way to do this.

Please do not recommend/ask about webex or login type products.  I'm asking about a specific route/approuch and wondering if it's even doable.

Thanks
0
Comment
Question by:dee30
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 3

Assisted Solution

by:gremwell
gremwell earned 600 total points
ID: 33666740
IP spoofing  does not work with connection-oriented protocols such as TCP which used by RDP, so your users have to pass through your PAT firewall one way or another.

You can try to find a way to route traffic from SSL VPN clients to your PAT firewall and apply NAT to it, so it will appear as if it originated from the PAT firewall. There is a way to do if your firewalls runs Cisco IOS, I believe the technique is called "NAT on the stick". Don't know about other types of firewalls.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 33668582
Can you please elaborate on the setup with some dummy IPs so we know how the packet should be NAT'ed at FW before it goes out.

You can set virtual IP for SSL clients anything as you wish; but am not sure how you want to PAT them to other customers specific environment so need details.

Thank you.
0
 

Author Comment

by:dee30
ID: 33682580
Gremwell, thanks and i'll research "NAT on a stick" concept and implementation in conjunction with our WG.   Dpk_wal, it's basically what gremwell confirmed, I need to, "... route traffic from SSL VPN clients ...., so it will appear as if it originated from the PAT firewall" .  I will give some dummy IP descriptions in order to hear what else you can offer up on the subject.

1.simple WG e550 setup with our org is repped as a PAT address of 78.90.90.100.
2.cuist has an allowance  for comm from that address for use of say port 6932.
3.all our in-house persons that need it can gain access using that rule from over the net to the customers internal resource.
4.Our remotes connect to use via sslvpn(WG) and ISP addresses are whatever they are as per their local ISP/provider. e.g.
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 900 total points
ID: 33688340
You can create a zero route tunnel for SSL VPN users and give them virtual IP address in the same range as the internal subnet.
Now the users would first come to firebox get out to internet through firebox only [as this is a global change it cannot be done for selctive users when using SSL or PPTP with IPSec selective selection is possible].

As the users would appear to be behind firebox no additional setting would be required.

Thank you.
0
 

Author Closing Comment

by:dee30
ID: 33693899
Thank you both for replying.  Gremwell, NAT on a stick is specific to Cisco as you know, while I was specific to my type of firewall... WG. Dpk_wall, I don't want vpn users to go through the fw to go out to Internet and made that decision during initial setup a year or so ago.  I logged a call on WG site and will be using Dynamic NAT route instead.  Thx  
0

Featured Post

Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses
Course of the Month12 days, 23 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question