Site to Site security.

DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
OK jsut wondering how different people do things.

Lets say I have a HQ site and a branch office.

at the branch office I have a single router.

at the HQ I have a external router, and a (checkpoint) firewall sitting inside that.

I want a secure connections to tunnel all traffic from the branch site to the HQ, and I want all traffic to pass through the firewall that destined for internal HQ networks and branch to the outside.

So as I see it there are a few ways to do this.

Set up standard IPSEC-VPN between the HQ and branch router,
or set up a GRE tunnel between the two with IPSEC protections,
(and then uses ACL and Route maps to insure traffic from the internet and branch site pass through the firewall)

Or I could set up the firewall to be the end point for the VPN,

And then of course you could go on to create virtual firewalls or routers to improve the logical layout. I am just wondering the "best" way, or most standard if you like.
  • If you can't explain it simply, you don't understand it well enough. Albert Einstein
  • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.

Comments

  • SteveO86SteveO86 Member Posts: 1,423
    I'm a big of DMVPN, or a GRE with tunnel protection. A IPSec Crypto-maps are on the bottom of my list.

    Routing updates makes all the difference.
    My Networking blog
    Latest blog post: Let's review EIGRP Named Mode
    Currently Studying: CCNP: Wireless - IUWMS
  • networker050184networker050184 Mod Posts: 11,962 Mod
    If it's just a site with a single VPN path to the HQ I'd just go IPSEC VPN. No need to over complicate it or use routing protocols if there isn't a need IMO. It's not like there is anywhere else to failover to in the event of a failure.
    An expert is a man who has made all the mistakes which can be made.
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    My main issue is the FW sits on the inside of the router, So even with an IPSEC VPN between the two routers I would still need to force traffic from the Branch to the Internet to go though the FW using route policies.

    I am sure I am missing some thing really simple but getting Checkpoint FW's to form a stable VPN to a cisco router is not as easy as I would expect. I wish you could set up encrypted tunnels like GRE between Checkpoint and branch sites. Or maybe you can but I dont see how.
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
    Does voice need to pass through the tunnel?
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    Possible, in the long term defiantly.
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Sign In or Register to comment.