Ideas for remote access from one PAT address
I have a setup where we need some remote user throughout the continent to access some customer machines using sql and odbc connection methods. Well our customers that have their system locked down to only allow our PAT address incoming. The remote users I need to access even when connected to us via client-to site ssl vpn are not represented by that PAT address to the customers but their provider public IP instead.
We have a simple watchguard one office setup using x550 core series. I've tried setting all traffic to go through the vpn, but having issues getting that to work, while I honestly DONT want all the remote users traffic to go through our connection.
Anyway, I'm looking for other ideas/implementations within the scope of the tools I already have of how to resolve this/get this to work? We're a MS windows shop with WG firewall and a couple of T1.
Look forward to hearing expert ideas/suggestions. Thx
We have a simple watchguard one office setup using x550 core series. I've tried setting all traffic to go through the vpn, but having issues getting that to work, while I honestly DONT want all the remote users traffic to go through our connection.
Anyway, I'm looking for other ideas/implementations within the scope of the tools I already have of how to resolve this/get this to work? We're a MS windows shop with WG firewall and a couple of T1.
Look forward to hearing expert ideas/suggestions. Thx
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
So if you are running terminal services then you should be able to have as many simultaneous users as you have licenses for.....maybe I'm not understanding the question.
There needs to be some clarification of "words" here.
There is no PAT here!
PAT does not even apply to IP#s. PAT applies to Layer4 Addresses (Ports),...hence the term PAT [Port Address Translation].
PAT is pretty much helpless by itself and is generally run "over-the-top" of an already NAT'ed situation. But that is not what any of this is about. What this is about is that they have limited access to the Resource to the Public IP# of your Firewall. NAT is involved but this is not a "NAT'ed" Address either,...the NAT'ed addresses are the LAN behind the Firewall,...and so even the term NAT is pretty much not even part of the conversation.
So bottom line is that you have to access the Resource from a machine that originates from inside your LAN and there-by "appears" to be coming from the Public IP# of your Firewall.
The best solution was Rick's with the Terminal Server suggestion. It is how we do that here as well in similar situations.
Give the points to Rick,...all I am trying to do is clarify things and fix the Terminology.
There is no PAT here!
PAT does not even apply to IP#s. PAT applies to Layer4 Addresses (Ports),...hence the term PAT [Port Address Translation].
PAT is pretty much helpless by itself and is generally run "over-the-top" of an already NAT'ed situation. But that is not what any of this is about. What this is about is that they have limited access to the Resource to the Public IP# of your Firewall. NAT is involved but this is not a "NAT'ed" Address either,...the NAT'ed addresses are the LAN behind the Firewall,...and so even the term NAT is pretty much not even part of the conversation.
So bottom line is that you have to access the Resource from a machine that originates from inside your LAN and there-by "appears" to be coming from the Public IP# of your Firewall.
The best solution was Rick's with the Terminal Server suggestion. It is how we do that here as well in similar situations.
Give the points to Rick,...all I am trying to do is clarify things and fix the Terminology.
while I honestly DONT want all the remote users traffic to go through our connection.
You don't have any choice. That is exactly what you have to do.
The only other option is to get rid of the IP Limitation (which is a very poor way to handle this) and change the model so that it is controlled by who the user is (via login credentials) rather than what IP# number they are coming from. Restricting this to a particular IP# in a situation like this is completely 1990's,...totally caveman stuff. What is really important is who the user is,...you want the resource restricted to "who",...not a "what" or a "where". The true focus should be the "who's", not the "what's & where's"
You don't have any choice. That is exactly what you have to do.
The only other option is to get rid of the IP Limitation (which is a very poor way to handle this) and change the model so that it is controlled by who the user is (via login credentials) rather than what IP# number they are coming from. Restricting this to a particular IP# in a situation like this is completely 1990's,...totally caveman stuff. What is really important is who the user is,...you want the resource restricted to "who",...not a "what" or a "where". The true focus should be the "who's", not the "what's & where's"
I agree it's old school, but I still see it ALL the time.
The issue for me is that I often don't manage the far end and this is the only way they will let us in. We use radius for the equipment we manage, but I think that is a different conversation.
The issue for me is that I often don't manage the far end and this is the only way they will let us in. We use radius for the equipment we manage, but I think that is a different conversation.
True.
Well I think the TS method you suggested is the only "real" solution here.
Well I think the TS method you suggested is the only "real" solution here.
ASKER
Thank you all. Rick in step with pretty much all you outlined at each interval you did. Assigning points to you. Thx
ASKER
Not complaining about the PAT lock down, while it's me that tells them to lock down as best practice and to make sure we don't add to any more than necessary vulnerabilities in their firewall... lol I too have a Desktop setup in-house for the remotes to connect to via VPN to our office and then from there they can use that desktop to access the customers system. I'm trying get a better option, especially since we've hired a few new people/remotes who need access to the machine simultanuously.
Thanks