f



VPN through VPN

I apologize if this question has been asked before. I have searched and
the results did not lend what I was looking for, I have connected to my
office VPN, the office is connected to the colo vpn. Is it possible to
connect to our colo vpn from my current connection at home? I would
think it is... perhaps I need some fancy routing/firewall rules? Anyone
willing to field this one?

Background info:
Home to Office is 3des ike preshared key
Office to Colo is aes ike preshared key

Home & Office are different types of hardware
Office & Colo are the same type of hardware

All VPN access is being performed by network devices and not software
on a PC/Server.

Thanks in advance for your assistance,
-james

0
5/6/2006 3:54:00 PM
comp.security.firewalls 10672 articles. 0 followers. dfinc1988 (97) is leader. Post Follow

4 Replies
1060 Views

Similar Articles

[PageSpeed] 52

Does this Help ?

Spoke to Client VPN:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

0
linickx (1)
5/6/2006 6:54:43 PM
In article <1146930840.782412.189990@v46g2000cwv.googlegroups.com>,
 <james.p.carter@gmail.com> wrote:
>I apologize if this question has been asked before. I have searched and
>the results did not lend what I was looking for, I have connected to my
>office VPN, the office is connected to the colo vpn. Is it possible to
>connect to our colo vpn from my current connection at home? I would
>think it is... perhaps I need some fancy routing/firewall rules? Anyone
>willing to field this one?

It depends on the hardware and on the network topology, and on how
it is all configured.

For example, the Cisco PIX devices running 6.x and before, will
never send a packet out the same [virtual] interface it came in on,
even if it arrived via one VPN and would leave via a different VPN.
Your connection to your office is likely via the Internet, 
and the office to the colo is probably via the Internet, so unless
special care were taken, you trying to go via the office to the colo
would be refused by this PIX security measure.

PIX devices running 7.x [which most people would say is not ready for
production deployment] can be specifically configured to allow
in-and-out privileges when at least one of the endpoints is a VPN.
The Cisco ASA5500 series of security appliances all run the 7.x series
of code, but your office probably isn't running one of those.

Your office might, though, be running a Cisco VPN 3000 or 5000 series
concentrator: if so then the topology configuration details determine 
whether you could do it or not.

With the Cisco PIX series running 5.x or later (most are 6.2 or 6.3 by now,
if they haven't gone on to 7.x), the PIX administrator could specifically
configure to allow your packets towards the colo to not travel via the
connection to the office. You would then need to create a VPN to the
colo directly from your home. The appropriate facility is named
"split tunneling" for some kinds of VPN configuration, but as
you mentioned a hardware VPN rather than a software VPN, the more
likely scenario would be for the VPN administrator to configure
the main tunnel to simply not accept packets for the other destination.


Cisco also handles VPNs in several available IOS releases for its
routers: IOS is more flexible about which packets are allowed to
go where, if it has been so configured.


>Background info:
>Home to Office is 3des ike preshared key
>Office to Colo is aes ike preshared key

*If* the Office and Colo just -happen- to be running Cisco PIX,
then their use of AES would tell me that they are using 6.3 or
later software. PIX can easily be configured to support
different "transforms" -- e.g., the use AES256 if available,
AES128 as second choice, 3DES as third choice. That part of the
configuration is quite simple, and might well already have been done
at the colo.

>Office & Colo are the same type of hardware

Unfortunately you didn't mention any brands or models, so if it
isn't Cisco then you'll have to read the above as a form of
generality about what might happen with the hardware that is there.

>Home & Office are different types of hardware

Again, unfortunate that you did not mention models. The Linksys
BEFSX41 and BEFVP41 are both happy to talk to Cisco PIX, but at
least in the rev I have, neither one supports AES. But as I indicated
above, it'd be near trivial on a PIX or ASA for the colo to add
a 3DES fallback.


I write about the Cisco devices because that's what I know about.
I do not know what can or cannot be done with other brands.
0
roberson (2980)
5/6/2006 8:08:05 PM
Yes, thank you the link did provide information that helped.

0
5/6/2006 11:59:21 PM
Thank you, my hardware is different but you have provided me with
enough information. I truly appreciate the response.

0
5/7/2006 12:00:36 AM
Reply:

Similar Artilces:

Secure VPN Gateway
This is a multi-part message in MIME format. --------------060408000501060608010104 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hi all. I just want to make you aware of an exciting new piece of software that is available from www.ttc4it.co.nz I think you'll be interested in the software because it provides a very secure means of connecting to remote servers over unsecured networks like the Internet. It is like a VPN & Firewall system fused together to provide network port access to specific servers. The web management interface and the VPN client make this software; very secure, very easy to manage, and very easy to use. Special features have been built into it to defeat key logger software and man in the middle attacks. This is commercial software but there is a free trial version available that uses Vmware player to host the Secure VPN Gateway. Documentation and other details are freely available from www.ttc4it.co.nz Like all commercial software commercial support is provided. At Ttc4it you wont be wasting time dealing with help desks. Instead you are plugged in directly to the software developers. Better support means problems are fixed faster. Best wishes for the New Year. David Gempton Managing Director TTC LTD. --------------060408000501060608010104 Content-Type: text/x-vcard; charset=utf-8; name="davidg.vcf" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filenam...

VPN over VPN?
Hi, i hope someone may help ... For internet i have to connect to our server at my place via VPN. --everything is fine -- And now my question: Is it possible to connect to an server in the internet via VPN too? Do i need some additional tools for that or is this impossible? Thanks in advance, Otto In article <3F17B586.4040102@domain.invalid>, Otto <user@domain.invalid> wrote: :For internet i have to connect to our server at my place via VPN. :--everything is fine -- :And now my question: :Is it possible to connect to an server in the internet via VPN too? :Do i need so...

VPN in a VPN
hi man can build a different one VPN tunnel in a VPN tunnel via Cisco's. gru� joe In article <c7hthp$ljm$06$1@news.t-online.com>, joe <joe.sa@t-online.de> wrote: :man can build a different one VPN tunnel in a VPN tunnel via Cisco's. Not using a Cisco PIX. With IOS, you might be able to do it using a loopback interface. For both IOS and PIX, all crypto map policies applied to the same interface send out the IPSec packets directly to the peer, even if the peer is within an address range matched by the ACL for a different crypto map policy. I do not know what would h...

VPN Throug VPN
I Use at my university a VPN Wlan Connection and i'll connect through this connection to another VPN (Company) Is it possible and how to do this?? BRGDS and Thanks, J ...

VPN from Cisco to VPN
Does anyone know how to create a VPN (ANy type) from a Cisco 1601 to a Netscreen 100? Or where to get the information. I have emailed you a stepthrough Dave Sinclair NCSA NetScreen Certified Security Associate NCSI NetScreen Certified Security Instructor Equip Technology.com NetScreen Authrorised Training Centre in the UK ...

Replacement VPN router for a Symantec Firewall/VPN Appliance 100
Symantec discontinued this product line and I need to find a suitable replacement for a unit that died. This unit was used in a remote office to provide a VPN point to point tunnel with another Symantec VPN Appliance. My main concern is that whatever I get to replace it will be compatible with the remaining Symantec VPN 100 appliance and I'll be able to set up the point to point VPN tunnel again. Any suggestions or comments are appreciated. Thanks! -Solo ...

Small office firewall/vpn/security appliance
We are setting up a new office network and would like some advise/experience on firewalls. I have looked at the messages but am still confused :) Today we have a single external connection (business cable 2/4) but may want to expand with a backup. There will be 2-3 externally visible servers with their own IP and a small LAN - 15 users. We need VPN access (10 licenses) to the servers for external users. We will probably set up the internal lan using a "store" router for NAT but could also use the firewalls NAT. We would like (of course) as much protection as we can get ...

Secure Point Personal firewall & VPN
Has anyone tried this product, or is anyone familiar with how to set it up for file sharing on a home network. I tried using the library rules for printer and file sharing and Microsoft Networks, but it won't recognize any of my PC's. I'm assuming additional rules may be needed. In article <hWbGc.28742$7t3.7318@attbi_s51>, optikl@invalid.net says... > Has anyone tried this product, or is anyone familiar with how to set it > up for file sharing on a home network. I tried using the library rules > for printer and file sharing and Microsoft Networks, but it won...

VPN Symantec Gateway Security
Hi all. Can anybody help me to following problem? I have to connect a Symantec Gateway Security 5400 Series (SGS) to a Checkpoint firewall. Only some Client's behind the SGS should be able to connect to the Checkpoint firewall per Checkpoint Client Software. The Checkpoint Client Software tell me, that the VPN connection works. But i can't reach any host in the network behind the Checkpoint Firewall. The Administrator of the Checkpoint Firewall (CPF) told me that all packages leave the firewall correct, so it seems the SGS is probably not configure right. A VPN connection without SGS, only the Checkpoint Client Software, is working great. So, the problem is really the SGS and its configuration. Greetings Stefan sk71@gmx.de wrote: > Hi all. > > Can anybody help me to following problem? > > I have to connect a Symantec Gateway Security 5400 Series (SGS) to a > Checkpoint firewall. Only some Client's behind the SGS should be able > to connect to the Checkpoint firewall per Checkpoint Client Software. > > The Checkpoint Client Software tell me, that the VPN connection works. > But i can't reach any host in the network behind the Checkpoint > Firewall. The Administrator of the Checkpoint Firewall (CPF) told me > that all packages leave the firewall correct, so it seems the SGS is > probably not configure right. > > A VPN connection without SGS, only the Checkpoint Client Software, is > working great. > S...

Firewall/VPN
I have been looking into some Firewall/VPN boxes. Different brands such as Sisco, Snapgear, D-Link, CheckPoint, Watch Guard... (I Want the ones that are DMZ capable. They actually have an extra Port called DMZ) It seems like most of them are able to perfome the same job. Like i was Compairing one of the D-Link ones with a Sisco and i realized that the D-link regurdless of having as much features or even more seems to be much less expensive! Could someone plz tell me Whats the main thing that distinguishes a good Firewall/VPN box from a standard one? or its just a brand name like BMW and Merc?...

VNC via VPN or no VPN?
When you use VNC from home to office, how important is it to go through a VPN tunnel? I have used PC Anywhere with simple port forwarding, which seemed to be standard practice a few years ago, but I thought maybe more security is advisable today. -- Reply in group, but if emailing add 2 more zeros and remove the obvious. From what you have revealed about your setup, your pcAnywhere machine is setting there waiting for anyone to connect (or attempt to). That is very bad. With a firewall in place in front of the pcAnywhere PC then you can at least restrict the IP addresses that will b...

Secure Pix 506 Firewall/Cisco 2610 Router VPN?
Hello All- I am beginning my journey on learning how to administer our Pix Firewall and Router. I have the task of setting up our companys first VPN. Can someone please, off me an idea of how or what I need to do to setup a VPN using this firewall and router. I have cisco VPN client software for the mobile users. I am running windows 2003 server with about 25 mobile users that use ATT Aircards to connect to the Internet. Thank you for all your help and thoughts! to start see http://cco.cisco.com/en/US/customer/tech/tk583/tk372/technologies_configuration_example09186a0080093f6a.shtml...

VPN and firewall
I am tring to setup my firewall to allow VPN connections. It is the WinXP Pro VPN server. Can anyone tell me what port number it is looking for VPN connections on; so I can tell my firewall that is okay to let them in? Thanks! WB Wildbill1996@yahoo.com me schrieb: > I am tring to setup my firewall to allow VPN connections. It is the WinXP > Pro VPN server. Can anyone tell me what port number it is looking for VPN > connections on; so I can tell my firewall that is okay to let them in? How 'bout using tcpdump and/or Ethereal and find it out for yourself. ;) ...

VPN-Gateway to VPN-Gateway
Hi I'm stuck! I need to set up a VPN gateway-to-gateway i.e. I need to see the network at each end, rather than a specific computer. At one end I have a Linksys WAG54G and at the other end I have a Netgear DG834 ADSL modem/router with VPN passthrough open to a Netgear FVS318. I would really appreciate some simple instructions on how to set this up. TIA, Mark ... On Tue, 22 Feb 2005 01:55:25 -0800, Mark wrote: > Hi > > I'm stuck! > > I need to set up a VPN gateway-to-gateway i.e. I need to see the > network at each end, rather than a specific computer. > &...

firewalls and VPN
Hi. I have two servers : A: running SBS2003 (active directory + dns + dhcp). 1 NIC. Static IP : 192.168.1.2 B: running Server 2003 Standard (file server + IIS). 1 NIC. Static IP : 192.168.1.3 and a 3com router/ADSL modem which connects us to internet. (Static LAN IP : 192.168.1.1 and Dynamic WAN IP). TrendMicro Officescan is installed on both and Enterprise Client Firewall is also enabled. With this setting, I can only VPN to A and dont have any access to B. But if I disable the firewall on both, everything is fine. Does any one know if any special policy should be enforced to make officescan firewall vpn friendly? Hamed ...

Vpn and Firewall
I don't know if is the appropriate nw for this post bue i haven't find any other ClientVPN--Fw/nat--Internet-OpenBSD/vpnGateway-Lan How is the best solution for do a vpn trought ClientVPN and OpenBSD/vpnGateway?, i haven't no access to Fw/nat, i have tried isakmpd so ipsec and pgpnet but fw/nat block the udp packet in port 500 sent bye to vpnGateway and so vpn non work. Tnx in advanced Ps: all solution for make a tunnel is accept very well :) i very need this tunnel Bye Daniele ...

VPN vs. VPN Tunnel
Newbie technology question: Is there a difference between just having a VPN, vs having a VPN tunnel? Or on the other hand, is the case that, in fact, when you create a VPN, there is inherently a VPN tunnel between the nodes of the VPN network? Thanks, Phoenix In article <1159572008.165107.312460@h48g2000cwc.googlegroups.com>, <Phoenix8172@yahoo.com> wrote: >Newbie technology question: Is there a difference between just having >a VPN, vs having a VPN tunnel? Or on the other hand, is the case that, >in fact, when you create a VPN, there is inherently a VPN tunnel >between the nodes of the VPN network? VPNs don't have to be tunnels. For example, even an 802.1Q VLAN all the way through between the two endpoints is effectively a VPN. Phoenix8172@yahoo.com wrote: > Is there a difference between just having > a VPN, vs having a VPN tunnel? Yes. A VPN you can have by just translating network addresses. It even can be encrypted by encrypting payload only. Of course, I don't think that other technics than fully encrypting tunneled packets are of any worth by means of security. Yours, VB. -- Viel schlimmer als die Implementation von PHP ist jedoch das Design. Rudolf Polzer in de.comp.security.misc Walter Roberson wrote: > VPNs don't have to be tunnels. For example, even an 802.1Q VLAN > all the way through between the two endpoints is effectively a VPN. Okay, thank you for the reply. Then, c...

VPN
i use GetIpAddrTable, to get the ip adress of my comp, and i want to know if there is a way to check if one of theese adresses belong to a VPN???? ...

vpn
is there a way to make the fucking vpn reconnect automatically? i'm stuck with an idiotic ISP for a while and am dependent on VPN :-[ the router is cheap enough to know nothing about vpn (stock firmaware anyway) mucho thanks In article <lh6t0v$nnv$1@dont-email.me>, "I hate front wheel drive, most torque must go to the rear" <isquat@gmail.com> wrote: > is there a way to make the fucking vpn reconnect automatically? > i'm stuck with an idiotic ISP for a while and am dependent on VPN :-[ > the router is cheap enough to know nothing about v...

vpn
I dont understand the concept of vpn to well. Do you have to have a dedicated server for VPN. I have windows XP pro and windows 98 2nd. I will be starting to work on it in August. On Thu, 10 Jul 2003 11:08:07 -0700, Ray Flores wrote: > I dont understand the concept of vpn to well. Do you have to have a > dedicated server for VPN. yes; hence a 'vpn server'... whether it be IPsec or PPtP. Best is IPsec. > I have windows XP pro and windows 98 2nd. I > will be starting to work on it in August. Both include a pptp client natively to connect to a pptp server. for IPsec, you'll need a 3rd party app, or you can use Miscrosofts version of l2tp/ipsec (layer 2). You'll be much happier if you have linux boxes or other type of *nix and use freeS/WAN. Open standards, connects to cisco routers, etc. -a ...

vpn
hello is it possible to do, so that I can use a VPN client that comes with Windows 2000/XP and just dial to a FreeBSD and use my FreeBSD as a gateway to surf internet and stuff? so that when I access someone's website they see my FreeBSD IP address instead of my p On 2004-10-18, alexus <ml@db.nexgen.com> wrote: > is it possible to do, so that I can use a VPN client that comes with Windows > 2000/XP and just dial to a FreeBSD and use my FreeBSD as a gateway to surf > internet and stuff? You _can_ setup FreeBSD so that it acts as a VPN gateway, yes. > so that when I access someone's website they see my > FreeBSD IP address instead of my p That is not something ``VPN'' does. You can do that with NAT[1] or with a proxy. FreeBSD supports NAT routing, for a proxy you'll have to install proxy software such as squid or socks (eg as a package). You _can_ combine all of NAT, proxying, VPN gatewaying, and dialin services on FreeBSD. I doubt that is what you really want, though. [1] Network Address Translation. The linux crowd calls it ``masquerading'' and micros~1 calls it ``internet connection sharing''. -- j p d (at) d s b (dot) t u d e l f t (dot) n l . alexus <ml@db.nexgen.com> wrote: > is it possible to do, so that I can use a VPN client that comes with Windows > 2000/XP and just dial to a FreeBSD and use my FreeBSD as a gateway to surf > internet...

VPN
Bonsoir, What is the opposite concept of VPN? Thanks for your advice. Regards, Michelot In article <1151083458.085524.38330@y41g2000cwy.googlegroups.com>, Michelot <mhostettler@voila.fr> wrote: >What is the opposite concept of VPN? People mean different things by "VPN". The acronym is of "Virtual Private Network", so the opposite of VPN would be something that is furthest removed from being Virtual or Private or a Network. For example, "skywriting" in plain text with no hidden meaning is not Virtual (the clouds are physical), not Private (anyone can see the message and read its meaning for themselves), and not a Network. For your purposes, the opposite of VPN is sending unencrypted packets over the public internet. Bonjour Walter, Thanks for your interresting reply. > The acronym is of "Virtual Private Network", so the opposite of > VPN would be something that is furthest removed from being > Virtual or Private or a Network. Difficult to escape to network if we stay in telecom networks. A VPN can exist in LAN networks (using only the equipments of the client) or, more usually, in WAN networks (using the equipments of a provider). A VPN has the appearance of a private network that is dedicated specifically to the users who are subscribed to that service, to create connections between them, through the provider. Perhaps the contrary can be look for things that a...

VPN
I am trying to set up a VPN with my sister in NZ. I am in Australia. We both run XP pro. She has no firewall software that she knows of and XP's firewall is switched off but I still can't get access. She Emailed her local security settings to me and your program (kerberos) is mentioned a lot. Could that be what's stopping me getting in? ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

VPN
Hello! Can anyone help me, how install VPN Server on RedHat without changing the kernel? Thomas B wrote: > What are the software to do the following VPN protocol? > > GRE > L2TP > IPSec I use GRE with ifconfig in linux, as a kernel module (gre.o), it works great, has encription and doesn't need fancy apps or deamons started. Andrey wrote: > Hello! > > Can anyone help me, how install VPN Server on RedHat without changing the > kernel? It can't be done, usually. It's quite easy to build the MPPE module required for the Popt...

Web resources about - VPN through VPN - comp.security.firewalls

Donald Trump held a rally and nothing chaotic happened for once
CLEVELAND, Ohio — Donald Trump’s Saturday rally in Cleveland almost felt normal after all the violence and tension of the last few days. Nobody ...

Google’s AlphaGo Has Won Its Third Match Against Go World Champion Lee Sedol
For the third time, Google’s AlphaGo has beaten Lee Sedol, the human world champion of Go. The win is an incredible demonstration of the artificial ...

Daylight Saving Time 2016: How, When, And Why To Spring Forward This Weekend
This is the time of year that virtually everyone dreads, and it is because they are going to lose an hour of sleep due to Daylight Saving Time ...

Boy, 16, is among six dead as rescuers hunt for 10 buried by 1,000ft wide avalanche in Italian Alps
Six skiers have died in an avalanche on Monte Nevoso in the Italian Alps. Police in Bolzano and Brunico confirmed the deaths in an avalanche ...

Record-breaking astronaut Scott Kelly retiring this April
Astronaut Scott Kelly, the International Space Station's selfie king, is retiring from his post at NASA on April 1st no foolin'. The American ...

North Korea Submarine Missing As Large Scale US And South Korea Military Drills Continue
A North Korean submarine operating off North Korea’s east coast has gone missing. Three senior officials revealed that U.S. aircraft, ships and ...

Terrorists tied to ISIS launch chemical-laced weapons on Iraqi town, officials say
CNN Terrorists tied to ISIS launch chemical-laced weapons on Iraqi town, officials say CNN (CNN) Suspected terrorists with links to ISIS on ...

Two Officials Stabbed as Unrest at Alabama Prison Leads to Lockdown
NBCNews.com Two Officials Stabbed as Unrest at Alabama Prison Leads to Lockdown NBCNews.com The only prison in Alabama that carries out executions ...

Police Launch a Suicide Investigation Following the Death of Keith Emerson
Fans were recently left rocked by the news that Keith Emerson has passed away yesterday at the age of 71, however, the news has taken a turn ...

Dog Whisperer Investigated For Alleged Pig Baiting
The “Dog Whisperer” Cesar Millan is being investigated for animal cruelty. A segment from his popular TV show on Nat Geo WILD caused public uproar ...

Resources last updated: 3/12/2016 10:45:58 PM