VPN Access to NASDAQ

Posted on 2011-04-18
Last Modified: 2012-08-14
I am working with NASDAQ on establishing a VPN access to their servers.

They’ve sent me IPs for VPN Peer Address, FIX/QIX/CTCI NTF Host, INET NTF, PHLX NTF, NASDAQ Secure FTP.
IPSec Information (Preferred): 3DES/SHA1/Diffie-Hellman Group 2/No PFS

This is what they are asking for:

Customer’s Information
¿      VPN Peered Address                  
¿      Host Address                             
¿      Device Used for VPN                       (please note that the addresses the customer provides MUST be public IP addresses)
¿      Preferred Encryption:                
¿      Pre-shared key:                  Verbal

I have 5 Windows 2008 R2 servers and an Open BSD firewall.

Would it work to just open some ports in the firewall and set up one of the Windows 2008 servers for VPN as described at ?
In order to respond with the VPN Peered Address and Host Address (public IPs), do I just redirect some public IPs from the firewall to the Win 2008 server on which I enable VPN?
Question by:mihaisz
    LVL 76

    Accepted Solution

    Are you looking to configure IPSEC from the openBSD box?

    Do you need one computer to have access or your entire LAN?
    HOST IP: is your external ip (
    IPSec Information (Preferred): 3DES/SHA1/Diffie-Hellman Group 2/No PFS
    Unless you wish to use an alternate encryption
    VPN peer address might be your LAN IP/segment.

    You could redirect/NAT public IP to an internal IP, deals with whether you want multiple computers or just one to have access through the VPN.
    I.e. do you setup a site to site VPN (if that is an option, check with them) or a remote client VPN (where your designated system is the client and only it can access data through the VPN.)

    Author Comment

    Thanks arnold.
    NASDAQ wants both the Host and Peer addresses to be Public.
    I have 5 static IPs from My ISP that I use for my servers. Do I need to ask for other 2 in a different subnet?
    LVL 76

    Expert Comment

    You do not need to get any additional IPs, you can configure your router/firewall to use one/two of the five you have as a peering IP/host IP.

    You need to double check with them what do they mean?
    Are you setting up a site to site VPN such that anyone on your lan will be able to access their resources?
    It might mean that you can setup a site to site while they will restrict access to the internal host (Host address).

    Depending on how your setup is using the five IPs currently, you might have to make adjustments or get an additional pair.
    Do you NAT any of the public IPs to an internal IP or are you using Port address ranslation (fort forwarding) such that you can have many services using the same public IP but is differentiated by the port of the service.

    Author Comment

    Do you know somebody who can do the configuration for me today, or what would be the easiest way to find somebody?
    I'd prefer a local expert (Seattle), but it could work also from a remote location.
    LVL 76

    Expert Comment

    There are experts here that might be, but I am unclear of what or how you are looking to achieve this setup which you need to clear up.

    I.e. which system on your side will be the VPN end point?
    Whether your openbsd router/firewall is the one that will be establishing the VPN connection.

    You need to get a clear understanding from the other side to the meaning of their information request. And how it is supposed to work. i.e. do they setup two tunnels one where requests are coming from you and one where their responses are sent (one way tunnels)?
    Do they use a tunnel within a tunnel which could explain the VPN peer and host peer. VPN peer establishes the first tunnel, and host peer is the computer that will use the VPN to access another secure resource.


    Author Comment

    arnold, thanks for your help!
    This is what we ended up doing:
    - configured IPSec on the OpenBSD box using your link
    - got an additional set of /30 IPs from my ISP and added a public IP to the Windows machine inside the network (as the host address).
    - opened 2 VPN tunnels, one to my office and one to NASDAQ.

    Other options were: installing a CISCO rounter or placing a dedicated server on a SAVVIS network which has direct connection with NASDAQ.

    Author Closing Comment

    'Partially' means more that I did not provide enough info (wasn't sure what/how to ask) and not that the expert's answers were not complete or hard to follow.

    Featured Post

    PRTG Network Monitor: Intuitive Network Monitoring

    Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

    Join & Write a Comment

    Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
    You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
    This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
    This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now