VPN/DMZ configuration help

Here's my config:
WatchGuard Firebox x750e (version 8)
WatchGuard Firebox SSL Core VPN (version 5.1)
Public IP range: xxx.xxx.xxx.112/29
Private IP range: 192.168.10.0/24

Current Topology:
Internet --- Cisco 1700 --- x750e --- LAN

Here is the config I am trying to achieve:
Internet
|
Cisco 1700
|
x750e --- (DMZ) SSL Core VPN (172.16.10.0/24)
|
LAN (192.168.10.0/24)

If I have three of my public IP address currently mapped to the
external interface of the x750, how would I be able to give the
external interface of the SSL VPN appliance a public IP? I need
another IP block don't I? I think I am way overanalyzing this scenario
so I have confused the mess out of myself. Thanks for any help.

Re: VPN/DMZ configuration help

In article <1181908406.792189.8110@g4g2000hsf.googlegroups.com>,
shonuff6699@yahoo.com says...
> Here's my config:
> WatchGuard Firebox x750e (version 8)
> WatchGuard Firebox SSL Core VPN (version 5.1)
> Public IP range: xxx.xxx.xxx.112/29
> Private IP range: 192.168.10.0/24
>
> Current Topology:
> Internet --- Cisco 1700 --- x750e --- LAN
>
> Here is the config I am trying to achieve:
> Internet
> |
> Cisco 1700
> |
> x750e --- (DMZ) SSL Core VPN (172.16.10.0/24)
> |
> LAN (192.168.10.0/24)
>
> If I have three of my public IP address currently mapped to the
> external interface of the x750, how would I be able to give the
> external interface of the SSL VPN appliance a public IP? I need
> another IP block don't I? I think I am way overanalyzing this scenario
> so I have confused the mess out of myself. Thanks for any help.

You could put the 750e in Drop-In mode and then all interfaces would
have the same addresses (meaning that LAN/DMZ would have the same IP as
the EXT and then you create rules, same as in Routed Mode, to map ports
between the Zones (LAN/DMZ).

You could also just forward the ports needed by the SSL to the VPN
appliance from the IP you want to use.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: VPN/DMZ configuration help

On Jun 15, 7:27 am, Leythos wrote:
> In article <1181908406.792189.8...@g4g2000hsf.googlegroups.com>,
> shonuff6...@yahoo.com says...
>
>
>
>
>
> > Here's my config:
> > WatchGuard Firebox x750e (version 8)
> > WatchGuard Firebox SSL Core VPN (version 5.1)
> > Public IP range: xxx.xxx.xxx.112/29
> > Private IP range: 192.168.10.0/24
>
> > Current Topology:
> > Internet --- Cisco 1700 --- x750e --- LAN
>
> > Here is the config I am trying to achieve:
> > Internet
> > |
> > Cisco 1700
> > |
> > x750e --- (DMZ) SSL Core VPN (172.16.10.0/24)
> > |
> > LAN (192.168.10.0/24)
>
> > If I have three of my public IP address currently mapped to the
> > external interface of the x750, how would I be able to give the
> > external interface of the SSL VPN appliance a public IP? I need
> > another IP block don't I? I think I am way overanalyzing this scenario
> > so I have confused the mess out of myself. Thanks for any help.
>
> You could put the 750e in Drop-In mode and then all interfaces would
> have the same addresses (meaning that LAN/DMZ would have the same IP as
> the EXT and then you create rules, same as in Routed Mode, to map ports
> between the Zones (LAN/DMZ).
>
> You could also just forward the ports needed by the SSL to the VPN
> appliance from the IP you want to use.
>
> --
>
> Leythos
> - Igitur qui desiderat pacem, praeparet bellum.
> - Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> spam999f...@rrohio.com (remove 999 for proper email address)- Hide quoted text -
>
> - Show quoted text -

Thanks for your reply Leythos. So what you are saying is that if I
want to run my SSL Core VPN in a true DMZ scenario I will have to
change my x750e to drop-in mode? The second option you gave for port
forwarding, if I use that I wouldn't have a true DMZ right?? So that
means I would just hook up the one interface of the SSL Core VPN?? I
called WatchGuard yesterday for some clarification and I am more
confused now than I was before. Thanks again.

Re: VPN/DMZ configuration help

In article <1181911406.298991.11290@q69g2000hsb.googlegroups.com>,
shonuff6699@yahoo.com says...
> On Jun 15, 7:27 am, Leythos wrote:
> > In article <1181908406.792189.8...@g4g2000hsf.googlegroups.com>,
> > shonuff6...@yahoo.com says...
> >
> >
> >
> >
> >
> > > Here's my config:
> > > WatchGuard Firebox x750e (version 8)
> > > WatchGuard Firebox SSL Core VPN (version 5.1)
> > > Public IP range: xxx.xxx.xxx.112/29
> > > Private IP range: 192.168.10.0/24
> >
> > > Current Topology:
> > > Internet --- Cisco 1700 --- x750e --- LAN
> >
> > > Here is the config I am trying to achieve:
> > > Internet
> > > |
> > > Cisco 1700
> > > |
> > > x750e --- (DMZ) SSL Core VPN (172.16.10.0/24)
> > > |
> > > LAN (192.168.10.0/24)
> >
> > > If I have three of my public IP address currently mapped to the
> > > external interface of the x750, how would I be able to give the
> > > external interface of the SSL VPN appliance a public IP? I need
> > > another IP block don't I? I think I am way overanalyzing this scenario
> > > so I have confused the mess out of myself. Thanks for any help.
> >
> > You could put the 750e in Drop-In mode and then all interfaces would
> > have the same addresses (meaning that LAN/DMZ would have the same IP as
> > the EXT and then you create rules, same as in Routed Mode, to map ports
> > between the Zones (LAN/DMZ).
> >
> > You could also just forward the ports needed by the SSL to the VPN
> > appliance from the IP you want to use.
> >
> > --
> >
> > Leythos
> > - Igitur qui desiderat pacem, praeparet bellum.
> > - Calling an illegal alien an "undocumented worker" is like calling a
> > drug dealer an "unlicensed pharmacist"
> > spam999f...@rrohio.com (remove 999 for proper email address)- Hide quoted text -
> >
> > - Show quoted text -
>
> Thanks for your reply Leythos. So what you are saying is that if I
> want to run my SSL Core VPN in a true DMZ scenario I will have to
> change my x750e to drop-in mode? The second option you gave for port
> forwarding, if I use that I wouldn't have a true DMZ right?? So that
> means I would just hook up the one interface of the SSL Core VPN?? I
> called WatchGuard yesterday for some clarification and I am more
> confused now than I was before. Thanks again.

This is the best I can do to help you:
http://www.watchguard.com/docs/faq/ssl-core_faq.asp#firewall


--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)