Solved

Ideas for remote access from one PAT address

Posted on 2011-02-18
8
265 Views
Last Modified: 2012-06-21
I have a setup where we need some remote user throughout the continent to access some customer machines using sql and odbc connection methods.  Well our customers that have their system locked down to only allow our PAT address incoming.   The remote users I need to access even when connected to us via client-to site ssl vpn are not represented by that PAT address to the customers but their provider public IP instead.

We have a simple watchguard one office setup using x550 core series.   I've tried setting all traffic to go through the vpn, but having issues getting that to work, while I honestly DONT want all the remote users traffic to go through our connection.

Anyway, I'm looking for other ideas/implementations within the scope of the tools I already have of how to resolve this/get this to work?  We're a MS windows shop with WG firewall and a couple of T1.

Look forward to hearing expert ideas/suggestions.  Thx
0
Comment
Question by:dee30
  • 3
  • 3
  • 2
8 Comments
 
LVL 3

Accepted Solution

by:
Rick_at_ptscinti earned 500 total points
ID: 34929885
I have a similar situation and use a terminal server at our office.  Field engineers RDP to the terminal server and then connect to the remote client sites from there.  I know this doesn't address you wanting the traffic to not go through your local network, but the IP address restriction is the issue.

The idea of specifying a remote IP address in the PAT rules is a security thing and you can't complain too much because it's just doing what it's there to do.
0
 

Author Comment

by:dee30
ID: 34929948
Rick_at_ptscinti,

Not complaining about the PAT lock down, while it's me that tells them to lock down as best practice and to make sure we don't add to any more than necessary vulnerabilities in their firewall... lol  I too have a Desktop setup in-house  for the remotes to connect to via VPN to our office and then from there they can use that desktop to access the customers system.  I'm trying get a better option, especially since we've hired a few new people/remotes who need access to the machine simultanuously.

Thanks
0
 
LVL 3

Expert Comment

by:Rick_at_ptscinti
ID: 34935257
So if you are running terminal services then you should be able to have as many simultaneous users as you have licenses for.....maybe I'm not understanding the question.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 29

Expert Comment

by:pwindell
ID: 34946518
There needs to be some clarification of "words" here.

There is no PAT here!

PAT does not even apply to IP#s.  PAT applies to Layer4 Addresses (Ports),...hence the term PAT [Port Address Translation].

PAT is pretty much helpless by itself and is generally run "over-the-top" of an already NAT'ed situation.  But that is not what any of this is about.  What this is about is that they have limited access to the Resource to the Public IP# of your Firewall.  NAT is involved but this is not a "NAT'ed" Address either,...the NAT'ed addresses are the LAN behind the Firewall,...and so even the term NAT is pretty much not even part of the conversation.

So bottom line is that you have to access the Resource from a machine that originates from inside your LAN and there-by "appears" to be coming from the Public IP# of your Firewall.

The best solution was Rick's with the Terminal Server suggestion.  It is how we do that here as well in similar situations.

Give the points to Rick,...all I am trying to do is clarify things and fix the Terminology.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34946622
while I honestly DONT want all the remote users traffic to go through our connection.

You don't have any choice. That is exactly what you have to do.

The only other option is to get rid of the IP Limitation (which is a very poor way to handle this) and change the model so that it is controlled by who the user is (via login credentials) rather than what IP# number they are coming from.    Restricting this to a particular IP# in a situation like this is completely 1990's,...totally caveman stuff.    What is really important is who the user is,...you want the resource restricted to "who",...not a "what" or a "where".  The true focus should be the "who's", not the "what's & where's"
0
 
LVL 3

Expert Comment

by:Rick_at_ptscinti
ID: 34948236
I agree it's old school, but I still see it ALL the time.  

The issue for me is that I often don't manage the far end and this is the only way they will let us in.  We use radius for the equipment we manage, but I think that is a different conversation.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34952726
True.  
Well I think the TS method you suggested is the only "real" solution here.
0
 

Author Comment

by:dee30
ID: 34974829
Thank you all.  Rick in step with pretty much all you outlined at each interval you did.  Assigning points to you.  Thx
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question