[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 281
  • Last Modified:

Ideas for remote access from one PAT address

I have a setup where we need some remote user throughout the continent to access some customer machines using sql and odbc connection methods.  Well our customers that have their system locked down to only allow our PAT address incoming.   The remote users I need to access even when connected to us via client-to site ssl vpn are not represented by that PAT address to the customers but their provider public IP instead.

We have a simple watchguard one office setup using x550 core series.   I've tried setting all traffic to go through the vpn, but having issues getting that to work, while I honestly DONT want all the remote users traffic to go through our connection.

Anyway, I'm looking for other ideas/implementations within the scope of the tools I already have of how to resolve this/get this to work?  We're a MS windows shop with WG firewall and a couple of T1.

Look forward to hearing expert ideas/suggestions.  Thx
0
dee30
Asked:
dee30
  • 3
  • 3
  • 2
1 Solution
 
Rick_at_ptscintiCommented:
I have a similar situation and use a terminal server at our office.  Field engineers RDP to the terminal server and then connect to the remote client sites from there.  I know this doesn't address you wanting the traffic to not go through your local network, but the IP address restriction is the issue.

The idea of specifying a remote IP address in the PAT rules is a security thing and you can't complain too much because it's just doing what it's there to do.
0
 
dee30Author Commented:
Rick_at_ptscinti,

Not complaining about the PAT lock down, while it's me that tells them to lock down as best practice and to make sure we don't add to any more than necessary vulnerabilities in their firewall... lol  I too have a Desktop setup in-house  for the remotes to connect to via VPN to our office and then from there they can use that desktop to access the customers system.  I'm trying get a better option, especially since we've hired a few new people/remotes who need access to the machine simultanuously.

Thanks
0
 
Rick_at_ptscintiCommented:
So if you are running terminal services then you should be able to have as many simultaneous users as you have licenses for.....maybe I'm not understanding the question.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
pwindellCommented:
There needs to be some clarification of "words" here.

There is no PAT here!

PAT does not even apply to IP#s.  PAT applies to Layer4 Addresses (Ports),...hence the term PAT [Port Address Translation].

PAT is pretty much helpless by itself and is generally run "over-the-top" of an already NAT'ed situation.  But that is not what any of this is about.  What this is about is that they have limited access to the Resource to the Public IP# of your Firewall.  NAT is involved but this is not a "NAT'ed" Address either,...the NAT'ed addresses are the LAN behind the Firewall,...and so even the term NAT is pretty much not even part of the conversation.

So bottom line is that you have to access the Resource from a machine that originates from inside your LAN and there-by "appears" to be coming from the Public IP# of your Firewall.

The best solution was Rick's with the Terminal Server suggestion.  It is how we do that here as well in similar situations.

Give the points to Rick,...all I am trying to do is clarify things and fix the Terminology.
0
 
pwindellCommented:
while I honestly DONT want all the remote users traffic to go through our connection.

You don't have any choice. That is exactly what you have to do.

The only other option is to get rid of the IP Limitation (which is a very poor way to handle this) and change the model so that it is controlled by who the user is (via login credentials) rather than what IP# number they are coming from.    Restricting this to a particular IP# in a situation like this is completely 1990's,...totally caveman stuff.    What is really important is who the user is,...you want the resource restricted to "who",...not a "what" or a "where".  The true focus should be the "who's", not the "what's & where's"
0
 
Rick_at_ptscintiCommented:
I agree it's old school, but I still see it ALL the time.  

The issue for me is that I often don't manage the far end and this is the only way they will let us in.  We use radius for the equipment we manage, but I think that is a different conversation.
0
 
pwindellCommented:
True.  
Well I think the TS method you suggested is the only "real" solution here.
0
 
dee30Author Commented:
Thank you all.  Rick in step with pretty much all you outlined at each interval you did.  Assigning points to you.  Thx
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now