Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

2 VPNs With Different Hardware (Watchguard & CISCO) on the Same Connection

Posted on 2010-09-13
13
Medium Priority
?
926 Views
Last Modified: 2012-05-10
We currently have a VPN to an outside location using a Watchguard Firebox (Edge X15), that gives access to the entire network.


OUTSIDE   >   WATCHGUARD   >   SERVER   >   LAN


We have a requirement to add a second VPN using 2 Cisco RV082 VPN routers. But this VPN will only allow access to an intenal subnetwork created with one of the Cisco RV082 routers.


OUTSIDE   >   WATCHGUARD   >   SERVER   >   LAN   >   VPN ROUTER   >   Subnetwork

I'm quite new to VPNs and was wondering how this second VPN can be achieved. Is there a way I can forward all of the Cisco RV082 traffic through the Firebox to the Cisco RV082.

The server is running OpenBSD, so I can use pf.conf to forward the necessary traffic also...

I was just wondering if this can be achieved without conflict of the 2 VPNs...and if so, how.

Thanks
0
Comment
Question by:the_scotsman_
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 3
  • +2
13 Comments
 
LVL 3

Expert Comment

by:kf4zmt
ID: 33668328
How about putting the watchguard and cisco VPN appliances in parallel:

                   WATCHGUARD    >   VLAN 1
OUTSIDE >                                     
                   VPN ROUTER       >  VLAN 2

Of course, this assumes that your ISP is supplying you with more than one IP address.  
0
 
LVL 3

Author Comment

by:the_scotsman_
ID: 33668349
Thanks, but we only have one IP address from our ISP.

And if possible, I'd rather  not change the current setup with the Firebox.
0
 
LVL 3

Expert Comment

by:kf4zmt
ID: 33668380
I don't have any experience with Watchguard.  However, most commercial grade firewalls will allow you to create a ruleset to allow the necessary protocols and ports through to the RV082.  
0
Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

 
LVL 32

Expert Comment

by:dpk_wal
ID: 33668650
The setup is:
>> OUTSIDE   >   WATCHGUARD   >   SERVER   >   LAN   >   VPN ROUTER   >   Subnetwork

Can you suggest that is your server multihomed; do you have setup as below:
OUTSIDE   [public IP]>   WATCHGUARD   [internal subnet 1]>   [internal subnet 1] SERVER [internal subnet 2]>   LAN   >  [internal subnet 2] VPN ROUTER [internal subnet 3]  > [internal subnet 3]  Subnetwork

Further is the SERVER doing NAT as well. If yes, then there is already two levels of NAT [one done by WATCHGUARD and other done by SERVER] and now you are adding third level of NAT by introducing VPN ROUTER.

Any specific reason why you cannot terminate the VPN tunnel on WATCHGUARD itself.

Please elaborate.

Thank you.
0
 
LVL 3

Author Comment

by:the_scotsman_
ID: 33668823
This new VPN / subnet HAS to be kept isolated from the first, and from the server if possible, so I don't think there would be a way to terminate it at the firebox and also keep it separate from the current network?

Attached an image to show the current setp (black) and desired additional vpn setup (blue).

Thanks
vpn.png
0
 
LVL 11

Expert Comment

by:DIPRAJ
ID: 33669226
there are two posible solution.
1. you can add a separate ISP for VPN router and a separate one for external site.
2.you can do PPTP vpn (free solution to any of the sites) if you can not afford two ISP.

please revert in case of any clarification  needed
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 33669823
IMO it would be much better if you terminate both VPNs on the WatchGuard, but allow for different VLANs. VLANs are separated from each other logically, since you need routing between both. If WatchGuard is not capable of it, you can insert a small managable switch which is.

Another way, but never tried that, is to first create a tunnel to the WatchGuard, which allows for using other addresses for the secondary VPN. The following is in regard to the "blue" layout above:

External VPN router > WatchGuard (tunnel 1), publicIP1.
-- That tunnel allows for use of privateIP1 which is the other blue VPN device.
External VPN router > internal VPN router (tunnel2), privateIP1
-- That tunnel allows the for use of the blue LAN.



0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 2000 total points
ID: 33674170
Well technically you can create VPN tunnel and also forward UDP 500 [for IKE], UDP 4500 for NAT-T and protocol 50/51 for ESP/AH from the public IP of outside VPN router to inside VPN router.

If the inside VPN router is doing NAT, the machines behind inside VPN router would still be able to reach 192.168.111.x subnet; however the access can be restricted at the SERVER level.

You must have static IP on inside VPN router. Please use pre-defined packet filter policy IPSec.

Please let know if you need more details.

Thank you.
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 33674660
dpk_wal,
How do you imagine a udp/500 forward would work on the same public IP on which the other VPN (IPSec, too) runs?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 33674732
>> from the public IP of outside VPN router to inside VPN router

We can have multiple ingress policies differentiated on source/destination IP and or source/destination ports! Don't you agree ;)
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 33675023
Yes, of course - if that works for WatchGuard ...
0
 
LVL 3

Author Comment

by:the_scotsman_
ID: 33709566
Hmmm..the forwarding of the ports based on source IP sounds like it may work...I'll look into this and see how that goes.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
This program is used to assist in finding and resolving common problems with wireless connections.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question