[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] Complex Nokia VPN - Comments?
Hi all, Apologies for the huge ascii drawing! (use courier font to view with sanity:-) I've been asked to look at placing a Nokia IP530 into this scenario: ///-------------\\\ ///// \\\\\ || Internet || | | \\\\\ ///// \\\----+--+-----/// | | | | |-------+ +---------+ +--------+ +------+ | | | | | | | ++------------++ ++------------++ | | | | | | | | | Nokia IP650 | << HA Pair >> | Nokia IP650 | | | +-+---------+--+ +--+---------+-+ | | | | | | | | | +-----------+ +----------+ | | | | | | | | | | | | | | | | | | | | | | +---------+--+--------+ | | | | | DMZ Switch | | | | | | (private addressing)| | | | | +---------------------+ | | | | | | | | | | | | | | | | +--------------+ | | | | | | | | | | |Proposed IP530| | | | | +--------------+ | | | | | | | | | | | | | | | | +---------------------+ | | | | | DMZ Switch | | | | | | (public addressing) | | | | | +---------+--+--------+ | | | | | | | | | ----------------------+ +--------------------+ | | | | | | | | | -----------------------+ +---------------------- +-+-----------------+-+ | Customer Switch | |(private addressing) | +---------+--+--------+ | | | | //----+--+----\\ ///// \\\\\ || Trusted Net || | Customer VPN Cloud | \\\\\ ///// \\------------// This proposed Nokia running 4.1 will be used purely to terminate SecureRemote tunnels, and potentially some site - site tunnels. The top section is an "ISP Gateway". Effectively it is a pair of HA Nokia IP 650's which provide NAT and a global security policy for a customer's International Frame Network at the bottom. Off these Nokia's are two DMZ's one is publicly addressed, and the other Private. It is proposed that a further Nokia appliance (model not really decided yet) will sit between these DMZ's, and terminate SecuRemote and some site-to-site VPN tunnels, and forward decrypted traffic to the customer's private frame network shown at the bottom. There is already a WatchGuard Firebox in this location, which (apparently) succesfully terminates some tunnels from a partner organisation. Can anyone give me some guidance on the above, with regard to: 1. Am I going to have problems because the HA Nokia's are running NAT? (the way i see it, the NAT actually only happens AFTER the tunnels are terminated, so it shouldn't be a problem? :¬) 2. What is the right choice of Nokia box for the job - there will be up to 1000 VPN (client) tunnels, maybe max 600 of them simultaneous? Any other (constructive only!) comments would be very much appreciated! Cheers, Matt D [email protected] ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|