Monday, November 12, 2007

VPN

Today is the day that I set aside to test and resolve the VPN to allow Steve or myself to work on anything while we are out of town. Since I'm going to be out of town next week for vacation, I considered this a priority.

The solution for our network was to setup an EasyVPN solution using the current firewall as the VPN gateway. Since our office is so small I have the firewall configured to also be the DHCP server for any hosts that don't have static mappings. The reason for the VPN being the DHCP is that the DNS server is going to be isolated via VLAN at some point and I didn't want to have to rework the whole network and ACL's to pass DHCP traffic across the firewall between VLANs. Too much work for 3 people who are out of town most of the time. Also having the firewall be DHCP allows the IP pool to be part of the VPN rather then having to go to a DHCP server to issue IP's after a client has authenticated.

With my trusty SNPA book at my side I speant all of today configuring the IP pools and nat-transversal rules that I needed to support the VPN connection. Thatnkfully I had already gotten an email from the network admin that manages our executive suites that mapped out our external IP. We had him setup and static NAT mapping to our internal network address. This is consequently why I had to setup nat-transversal and nat-encapsulation so that the traffic for the VPN could navigate two NAT's while getting out to the internet.

I've setup the firewall to handle the initial authentication for the clients as they connect and future plans do include a certificate authority once we have more people in the office. This should allow us to have two factor authentication, which is better than what we have now, but with so few people I don't see a need to setup that sort of system, yet.

Anyways, the firewall is up and running and configured to allow me, Stephen, and Steve to connect to the network via VPN. The traffic from the internal network is passing as it should and I have access to all the servers that I need to have access to while any of us are on the road.

Success... I guess I can do something now.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)