We have four office locations that we need to VPN together all of them
have NS5GT Firewalls. What we want at all four location is the same LAN
IP scheme.
For eg; 10.1.2.x scheme
All locations have static WAN IP. What kind of VPN would be recommended
and if possible steps to implement them at all four locations.
Thanks
johnny021@hotmail.com wrote:
> We have four office locations that we need to VPN together all of them
> have NS5GT Firewalls. What we want at all four location is the same LAN
> IP scheme.
>
> For eg; 10.1.2.x scheme
>
> All locations have static WAN IP. What kind of VPN would be recommended
> and if possible steps to implement them at all four locations.
>
> Thanks
the sites must be on different subnets, use nat on your wan router,
that wan you can connect via internal ip.
Flamer.
flamer die.spam@hotmail.com wrote:
> the sites must be on different subnets,
Right, therefore he could simply the following network addresses:
Location A: 10.1.2.0 Netmask 255.255.255.192
Location B: 10.1.2.64 Netmask 255.255.255.192
Location C: 10.1.2.128 Netmask 255.255.255.192
Location D: 10.1.2.192 Netmask 255.255.255.192
The 4 subnets are /26 (64 addresses, 62 of them usable) but that might be
enough.
> use nat on your wan router, that wan you can connect via internal ip.
One should avoid NAT when setting up VPN connections ...
Wolfgang
johnny021@hotmail.com wrote:
> We have four office locations that we need to VPN together all of them
> have NS5GT Firewalls.
OK.
> What we want at all four location is the same LAN
> IP scheme.
No, you don't want that. You want diffrent subnets. If you want to use
10.1.2.x in any of the 4 locations, use 255.255.255.292 (/26) as the
netmask.
> For eg; 10.1.2.x scheme
I'd definitely not recommend that. You'll need NAT and you really don't want
NAT in a VPN. Use different subnets on all the locations.
Wolfgang
In article
Wolfgang Kueter
>johnny021@hotmail.com wrote:
>> We have four office locations that we need to VPN together all of them
>> have NS5GT Firewalls.
>OK.
>> What we want at all four location is the same LAN
>> IP scheme.
>No, you don't want that.
johnny021 wrote that they want it, so yes, they *do* want it. They
probably don't want all the problems that go along with it, but they
might have some good reason in mind -- e.g., to make it easy to carry a
computer between the four locations without having to reconfigure it at
all. Or they might simply have been told by a PHB to do it that way.
>> For eg; 10.1.2.x scheme
>I'd definitely not recommend that. You'll need NAT and you really don't want
>NAT in a VPN. Use different subnets on all the locations.
In general, there is little more reason not to use NAT with a VPN than
there is not to use NAT at all. If you do not happen to be using
one of the protocols that NAT messes up, then you might as well,
technically speaking, NAT your VPN traffic.
There is certainly the point that using a VPN is often a way to -avoid-
having to NAT traffic that NAT -does- mess up (e.g., host locations
tracked by Microsoft domain registries), but that's not the issue
in this situation in which the OP specifically asked to NAT.
The OP did not ask for recommendations on how to get away without
doing NAT: the OP asked for recommendations on how to do the NAT
anyhow, and asked what equipment would be needed in order to implement it.
I answered the poster in Cisco terms in comp.dcom.sys.cisco, which
he had multiposted to (even though Cisco doesn't make NS5GT firewalls...)
It doenst matter post has been posted to which group dont criticise it
if you have a solution kindly provide else leave it.
CK
Walter Roberson wrote:
> In article
> Wolfgang Kueter
> >johnny021@hotmail.com wrote:
>
> >> We have four office locations that we need to VPN together all of them
> >> have NS5GT Firewalls.
>
> >OK.
>
> >> What we want at all four location is the same LAN
> >> IP scheme.
>
> >No, you don't want that.
>
> johnny021 wrote that they want it, so yes, they *do* want it. They
> probably don't want all the problems that go along with it, but they
> might have some good reason in mind -- e.g., to make it easy to carry a
> computer between the four locations without having to reconfigure it at
> all. Or they might simply have been told by a PHB to do it that way.
>
>
> >> For eg; 10.1.2.x scheme
>
> >I'd definitely not recommend that. You'll need NAT and you really don't want
> >NAT in a VPN. Use different subnets on all the locations.
>
> In general, there is little more reason not to use NAT with a VPN than
> there is not to use NAT at all. If you do not happen to be using
> one of the protocols that NAT messes up, then you might as well,
> technically speaking, NAT your VPN traffic.
>
> There is certainly the point that using a VPN is often a way to -avoid-
> having to NAT traffic that NAT -does- mess up (e.g., host locations
> tracked by Microsoft domain registries), but that's not the issue
> in this situation in which the OP specifically asked to NAT.
>
> The OP did not ask for recommendations on how to get away without
> doing NAT: the OP asked for recommendations on how to do the NAT
> anyhow, and asked what equipment would be needed in order to implement it.
>
> I answered the poster in Cisco terms in comp.dcom.sys.cisco, which
> he had multiposted to (even though Cisco doesn't make NS5GT firewalls...)
In article <1166265744.134915.275030@l12g2000cwl.googlegroups.com>,
CK
>Walter Roberson wrote:
>> In article
>> Wolfgang Kueter
>> >johnny021@hotmail.com wrote:
>> >> We have four office locations that we need to VPN together all of them
>> >> have NS5GT Firewalls.
>> The OP did not ask for recommendations on how to get away without
>> doing NAT: the OP asked for recommendations on how to do the NAT
>> anyhow, and asked what equipment would be needed in order to implement it.
>> I answered the poster in Cisco terms in comp.dcom.sys.cisco, which
>> he had multiposted to (even though Cisco doesn't make NS5GT firewalls...)
>It doenst matter post has been posted to which group dont criticise it
>if you have a solution kindly provide else leave it.
Well, if you insist:
http://groups.google.ca/group/comp.dcom.sys.cisco/browse_thr ead/thread/913335699e03cc1/c71d107046086985
My answer was less than 2 hours after the OP's question, and I
provided information about which equipment would or would
not be able to handle the situation under various circumstances,
"naming names" (and software versions.)