Solved

Ideas for remote access from one PAT address

Posted on 2011-02-18
8
258 Views
Last Modified: 2012-06-21
I have a setup where we need some remote user throughout the continent to access some customer machines using sql and odbc connection methods.  Well our customers that have their system locked down to only allow our PAT address incoming.   The remote users I need to access even when connected to us via client-to site ssl vpn are not represented by that PAT address to the customers but their provider public IP instead.

We have a simple watchguard one office setup using x550 core series.   I've tried setting all traffic to go through the vpn, but having issues getting that to work, while I honestly DONT want all the remote users traffic to go through our connection.

Anyway, I'm looking for other ideas/implementations within the scope of the tools I already have of how to resolve this/get this to work?  We're a MS windows shop with WG firewall and a couple of T1.

Look forward to hearing expert ideas/suggestions.  Thx
0
Comment
Question by:dee30
  • 3
  • 3
  • 2
8 Comments
 
LVL 3

Accepted Solution

by:
Rick_at_ptscinti earned 500 total points
Comment Utility
I have a similar situation and use a terminal server at our office.  Field engineers RDP to the terminal server and then connect to the remote client sites from there.  I know this doesn't address you wanting the traffic to not go through your local network, but the IP address restriction is the issue.

The idea of specifying a remote IP address in the PAT rules is a security thing and you can't complain too much because it's just doing what it's there to do.
0
 

Author Comment

by:dee30
Comment Utility
Rick_at_ptscinti,

Not complaining about the PAT lock down, while it's me that tells them to lock down as best practice and to make sure we don't add to any more than necessary vulnerabilities in their firewall... lol  I too have a Desktop setup in-house  for the remotes to connect to via VPN to our office and then from there they can use that desktop to access the customers system.  I'm trying get a better option, especially since we've hired a few new people/remotes who need access to the machine simultanuously.

Thanks
0
 
LVL 3

Expert Comment

by:Rick_at_ptscinti
Comment Utility
So if you are running terminal services then you should be able to have as many simultaneous users as you have licenses for.....maybe I'm not understanding the question.
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
There needs to be some clarification of "words" here.

There is no PAT here!

PAT does not even apply to IP#s.  PAT applies to Layer4 Addresses (Ports),...hence the term PAT [Port Address Translation].

PAT is pretty much helpless by itself and is generally run "over-the-top" of an already NAT'ed situation.  But that is not what any of this is about.  What this is about is that they have limited access to the Resource to the Public IP# of your Firewall.  NAT is involved but this is not a "NAT'ed" Address either,...the NAT'ed addresses are the LAN behind the Firewall,...and so even the term NAT is pretty much not even part of the conversation.

So bottom line is that you have to access the Resource from a machine that originates from inside your LAN and there-by "appears" to be coming from the Public IP# of your Firewall.

The best solution was Rick's with the Terminal Server suggestion.  It is how we do that here as well in similar situations.

Give the points to Rick,...all I am trying to do is clarify things and fix the Terminology.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 29

Expert Comment

by:pwindell
Comment Utility
while I honestly DONT want all the remote users traffic to go through our connection.

You don't have any choice. That is exactly what you have to do.

The only other option is to get rid of the IP Limitation (which is a very poor way to handle this) and change the model so that it is controlled by who the user is (via login credentials) rather than what IP# number they are coming from.    Restricting this to a particular IP# in a situation like this is completely 1990's,...totally caveman stuff.    What is really important is who the user is,...you want the resource restricted to "who",...not a "what" or a "where".  The true focus should be the "who's", not the "what's & where's"
0
 
LVL 3

Expert Comment

by:Rick_at_ptscinti
Comment Utility
I agree it's old school, but I still see it ALL the time.  

The issue for me is that I often don't manage the far end and this is the only way they will let us in.  We use radius for the equipment we manage, but I think that is a different conversation.
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
True.  
Well I think the TS method you suggested is the only "real" solution here.
0
 

Author Comment

by:dee30
Comment Utility
Thank you all.  Rick in step with pretty much all you outlined at each interval you did.  Assigning points to you.  Thx
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now