Site to Site security.
OK jsut wondering how different people do things.
Lets say I have a HQ site and a branch office.
at the branch office I have a single router.
at the HQ I have a external router, and a (checkpoint) firewall sitting inside that.
I want a secure connections to tunnel all traffic from the branch site to the HQ, and I want all traffic to pass through the firewall that destined for internal HQ networks and branch to the outside.
So as I see it there are a few ways to do this.
Set up standard IPSEC-VPN between the HQ and branch router,
or set up a GRE tunnel between the two with IPSEC protections,
(and then uses ACL and Route maps to insure traffic from the internet and branch site pass through the firewall)
Or I could set up the firewall to be the end point for the VPN,
And then of course you could go on to create virtual firewalls or routers to improve the logical layout. I am just wondering the "best" way, or most standard if you like.
Lets say I have a HQ site and a branch office.
at the branch office I have a single router.
at the HQ I have a external router, and a (checkpoint) firewall sitting inside that.
I want a secure connections to tunnel all traffic from the branch site to the HQ, and I want all traffic to pass through the firewall that destined for internal HQ networks and branch to the outside.
So as I see it there are a few ways to do this.
Set up standard IPSEC-VPN between the HQ and branch router,
or set up a GRE tunnel between the two with IPSEC protections,
(and then uses ACL and Route maps to insure traffic from the internet and branch site pass through the firewall)
Or I could set up the firewall to be the end point for the VPN,
And then of course you could go on to create virtual firewalls or routers to improve the logical layout. I am just wondering the "best" way, or most standard if you like.
- If you can't explain it simply, you don't understand it well enough. Albert Einstein
- An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Linkin Profile - Blog: http://Devilwah.com
Comments
-
networker050184
Mod Posts: 11,962 Mod
If it's just a site with a single VPN path to the HQ I'd just go IPSEC VPN. No need to over complicate it or use routing protocols if there isn't a need IMO. It's not like there is anywhere else to failover to in the event of a failure.An expert is a man who has made all the mistakes which can be made. -
DevilWAH
Member Posts: 2,997 ■■■■■■■■□□
My main issue is the FW sits on the inside of the router, So even with an IPSEC VPN between the two routers I would still need to force traffic from the Branch to the Internet to go though the FW using route policies.
I am sure I am missing some thing really simple but getting Checkpoint FW's to form a stable VPN to a cisco router is not as easy as I would expect. I wish you could set up encrypted tunnels like GRE between Checkpoint and branch sites. Or maybe you can but I dont see how.- If you can't explain it simply, you don't understand it well enough. Albert Einstein
- An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Linkin Profile - Blog: http://Devilwah.com -
DevilWAH
Member Posts: 2,997 ■■■■■■■■□□
Possible, in the long term defiantly.
- If you can't explain it simply, you don't understand it well enough. Albert Einstein
- An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Linkin Profile - Blog: http://Devilwah.com
