Howto: How to configure static port mapping in the corporate router/firewall for Panda GateDefender Integra VPN networks



Similar documents
How to configure DNAT in order to publish internal services via Internet

HOWTO: How to configure IPSEC gateway (office) to gateway

How to Create a Basic VPN Connection in Panda GateDefender eseries

HOWTO: How to configure VPN SSL roadwarrior to gateway

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Cisco Which VPN Solution is Right for You?

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

How to configure the Panda GateDefender Performa explicit proxy in a Local User Database or in a LDAP server

SSL Web Proxy. Generally to access an internal web server which is behind a NAT router, you have the following two methods:

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation

Galileo International. Firewall & Proxy Specifications

Firewall Defaults and Some Basic Rules

GPRS / 3G Services: VPN solutions supported

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Creating a VPN with overlapping subnets

Pre-lab and In-class Laboratory Exercise 10 (L10)

VPN Tracker for Mac OS X

Panda Security for Exchange Servers

SSL VPN. Virtual Private Networks based on Secure Socket Layer. Mario Baldi. Politecnico di Torino. Dipartimento di Automatica e Informatica

VPN Solution Guide Peplink Balance Series. Peplink Balance. VPN Solution Guide Copyright 2015 Peplink

IP Security. IPSec, PPTP, OpenVPN. Pawel Cieplinski, AkademiaWIFI.pl. MUM Wroclaw

NETASQ MIGRATING FROM V8 TO V9

21.4 Network Address Translation (NAT) NAT concept

Chapter 12 Supporting Network Address Translation (NAT)

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

GNAT Box VPN and VPN Client

How To - Setup Cyberoam VPN Client to connect to a Cyberoam for the remote access using preshared key

Cisco AnyConnect Secure Mobility Solution Guide

White Paper. SSL vs. IPSec. Streamlining Site-to-Site VPN Deployments

Table of Contents. Introduction

Configuration Example

How To Configure Apple ipad for Cyberoam L2TP

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

Application Note. Stateful Firewall, IPS or IDS Load- Balancing

LinkProof And VPN Load Balancing

Virtual Private Networks Solutions for Secure Remote Access. White Paper

Controlling Ashly Products From a Remote PC Location

PPTP Server Access Through The

7.1. Remote Access Connection

Security. TestOut Modules

GPRS and 3G Services: Connectivity Options

WAN Failover Scenarios Using Digi Wireless WAN Routers

MilsVPN VPN Tunnel Port Translation. Table of Contents Introduction VPN Tunnel Settings...2

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Configuration Example

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

How To Setup Cyberoam VPN Client to connect a Cyberoam for remote access using preshared key

Implementing and Managing Security for Network Communications

StoneGate Installation Guide

Corporate VPN Using Mikrotik Cloud Feature. By SOUMIL GUPTA BHAYA Mikortik Certified Trainer

Polycom. RealPresence Ready Firewall Traversal Tips

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Configuring a GB-OS Site-to-Site VPN to a Non-GTA Firewall

INTRODUCTION... 2 Windows Windows Mac OS X Ubuntu Advanced routing Windows Mac OS X Ubuntu...

Step-by-Step Guide for Creating and Testing Connection Manager Profiles in a Test Lab

Configuring GTA Firewalls for Remote Access

VPN Wizard Default Settings and General Information

Cisco QuickVPN Installation Tips for Windows Operating Systems

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Security Technology: Firewalls and VPNs

VPN CLIENT ADMINISTRATOR S GUIDE

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

Astaro Security Gateway V8. Remote Access via L2TP over IPSec Configuring ASG and Client

Technical Support Information

NATed Network Testing IxChariot

Understanding Windows Server 2003 Networking p. 1 The OSI Model p. 2 Protocol Stacks p. 4 Communication between Stacks p. 13 Microsoft's Network

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

Kodak Remote Support System - RSS VPN

I. What is VPN? II. Types of VPN connection. There are two types of VPN connection:

Using Remote Desktop Software with the LAN-Cell

Security perimeter. Internet. - Access control, monitoring and management. Differentiate between insiders and outsiders - Different types of outsiders

VPN Tracker for Mac OS X

Technical Document. Creating a VPN. GTA Firewall to WatchGuard Firebox SOHO 6 TD: GB-WGSOHO6

Virtual Private Networks

Defender EAP Agent Installation and Configuration Guide

VPNC Interoperability Profile

Setting up VPN Access for Remote Diagnostics Support

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

ISG50 Application Note Version 1.0 June, 2011

Connecting Remote Users to Your Network with Windows Server 2003

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

If you have questions or find errors in the guide, please, contact us under the following address:

Tech-Note Bridges Vs Routers Version /06/2009. Bridges Vs Routers

Application Note. Onsight Connect Network Requirements v6.3

Stonesoft 5.5. Firewall/VPN Reference Guide. Firewall Virtual Private Networks

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Intranet Security Solution

Application Notes for Configuring a SonicWALL VPN with an Avaya IP Telephony Infrastructure - Issue 1.0

Configuring a BANDIT Product for Virtual Private Networks

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

CLOUD INFRASTRUCTURE DESIGN GUIDE

Sophos UTM. Remote Access via PPTP. Configuring UTM and Client

Document No. FO1101 Issue Date: Work Group: FibreOP Technical Team October 31, 2013 FINAL:

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

athenahealth Interface Connectivity SSH Implementation Guide

Source-Connect Network Configuration Last updated May 2009

Fireware Essentials Exam Study Guide

Transcription:

Howto: How to configure static port mapping in the corporate router/firewall for Panda GateDefender Integra VPN networks How-to guides for configuring VPNs with GateDefender Integra Panda Security wants to ensure you get the most out of GateDefender Integra. For this reason, we offer you all the information you need about the characteristics and configuration of the product. Refer to http://www.pandasecurity.com/ and http://www.pandasecurity.com/enterprise/support/ for more information. How-to guides for Panda GateDefender Integra The software described in this document is delivered under the terms and conditions of the end user license agreement and can only be used after accepting the terms and conditions of said agreement. The anti-spam technology in this product is provided by Mailshell. The web filtering technology in this product is provided by Cobion. Copyright notice Panda 2007. All rights reserved. Neither the documents nor the programs that you may access may be copied, reproduced, translated or transferred to any electronic or readable media without prior written permission from Panda, c/ Buenos Aires, 12 48001 Bilbao (Biscay) Spain. Registered Trademarks Panda Security. TruPrevent: Registered in U.S.A Patent and Trademark Office. Windows Vista and the Windows logo are trademarks or registered trademarks of Microsoft Corporation in the United States and other countries. All other product names may be registered trademarks of their respective owners. D. L. BI-1915-07 Panda 2007. All rights reserved.

CONTENTS 1 Introduction... 3 2 VPN protocols... 4 2.1 IPSEC VPN... 4 2.2 L2TP VPN... 6 2.3 SSL VPN... 7 2.4 PPTP VPN... 8 3 Conclusions... 9 Symbols and styles used in this documentation Symbols used in this documentation: Note. Clarification and additional information. Important. Highlights the importance of a concept. Tip. Ideas to help you get the most from your program. Reference. Other references with more information of interest. Fonts and styles used in the documentation: Bold: Names of menus, options, buttons, windows or dialog boxes. Codes style: Names of files, extensions, folders, command line information or configuration files, for example, scripts. Italics: Names of options related with the operating system and programs or files with their own name. Panda GateDefender Integra Page 2 of 9

1 Introduction The following document explains how to configure the corporate firewall/router located in front of GateDefender Integra so that VPN traffic reaches GateDefender Integra in the corporate network in the event that Integra is acting as a gateway in a VPN tunnel with the other device on the other side of the firewall/router. The scenario that will be used throughout the document and which is illustrated in the diagram below, is one of the most common situations when installing Panda GateDefender Integra in router mode in a corporate network. Figure 1 The Panda GateDefender Integra is located at the network entry point, just behind the corporate firewall/router. The device that is located in front of the GateDefender Integra unit, either firewall or router, can be applying security policies that control inbound/outbound traffic. Normally, GateDefender Integra will have a private IP address assigned and the corporate firewall/router will use the NAT protocol to direct all internal traffic on to the Internet. In this situation, the corporate network has a single public IP address (external interface of the firewall). In the case of the diagram, the IP address is: 62.14.249.65 In this case, if Integra is acting as a VPN gateway, VPN network packets that reach the public IP address of the external router/firewall interface (62.14.249.65) have to be redirected to the Integra VPN Gateway protected by the NAT router/firewall. Therefore, for the VPN tunnels to be established correctly from Panda GateDefender Integra, ports will have to be statically mapped, also known as Destination Nat or Port Forwarding in the NAT device (corporate router/firewall). Below you'll find the ports and protocols that need to be mapped in the corporate firewall/router to the Integra private IP address (in the diagram, 192.168.1.2). Panda GateDefender Integra Page 3 of 9

2 VPN protocols 2.1 IPSEC VPN In this scenario, Panda GateDefender Integra will be the VPN Gateway for an IPSEC tunnel. As they are protected by a NAT device, (corporate router/firewall) which translates or changes the private IP address when going out to the Internet, packets sent from the opposite end of the tunnel, (Gateway or Roadwarrior) are received in the public IP address, and have to be redirected to the private IP address of Panda GateDefender Integra, in this case 192.168.1.2. Therefore, in the corporate router/firewall, it will be necessary to statically map traffic reaching IP 62.14.249.65 through port UDP 500 and through port UDP 4500 (if NAT-T is activated and NAT is detected) to IP 192.168.1.2 in port UDP 500 and UDP 4500 as shown in the diagram: Figure 2 Panda GateDefender Integra Page 4 of 9

The VPN Gateway managing the tunnels would seem to be the corporate router/firewall. However, in reality, this is redirecting it to the VPN server (Integra) in the network. The ESP/AH packets will be directed to Integra thanks to the connection tracking feature of the corporate firewall/router. If the architecture is gateway-to-gateway, the same redirection of traffic should be carried out at the other end of the tunnel in UDP ports 500 and 4500 to the internal IP address of the other gateway as illustrated below: Figure 3 Panda GateDefender Integra Page 5 of 9

2.2 L2TP VPN This case is very similar to the previous case. L2TP works over IPSEC, so the mapping in this case is the same as in the previous one: Figure 4 Panda GateDefender Integra Page 6 of 9

2.3 SSL VPN Let's suppose that GateDefender Integra establishes a VPN using SSL. Traffic in this case will only use UDP port 1194. This means all traffic received in the external interface of the router/firewall, at IP 62.14.249.65 (UDP port 1194), must be redirected to the internal IP address of Integra 192.168.1.2 in UDP port 1194. Both in the case of Gateway-Roadwarrior architecture and Gateway-Gateway architecture, this redirecting of traffic is only carried out in the corporate router/firewall where the server is, as on the client side, it is only necessary to ensure that outbound traffic is allowed through UDP 1194. Figure 5 Panda GateDefender Integra Page 7 of 9

2.4 PPTP VPN The final scenario that could occur with GateDefender Integra is that of a PPTP VPN, in which Integra acts as a VPN gateway for a Roadwarrior. In this case, there are two different types of traffic: Traffic for establishing the tunnel consisting of TCP packets whose target is port 1723. Encrypted traffic consisted of IP 47 packets also known as GRE (Generic Routing Encapsulation)). Note: 47 refers to the number of the protocol and not the number of port. Warning: Bear in mind that the corporate router/firewall must have PPTP connection tracking to allow simultaneous multiple connections with the roadwarriors behind it. In the corporate router/firewall in which the VPN Integra server is located, it will be necessary to redirect TCP 1723 traffic received in the public IP address to Integra s private address in TCP port 1173. Once you have done this, IP 47 traffic will be sent automatically to the VPN Integra server using the connection tracking of the corporate router/firewall. Figure 6 Panda GateDefender Integra Page 8 of 9

3 Conclusions This document describes factors that have to be taken into account for the correct processing of VPN traffic from the remote Gateway/Roadwarrior when Panda GateDefender Integra is located behind a NAT device. In order for the VPN to operate, the VPN traffic received in the public interface of the router/firewall must be redirected to the private IP address of Integra, either when it has the role of the VPN server for protocols such as PPTP or SSL, or when it operates as a gateway for protocols such as IPSEC or L2TP. In order for the VPN network to operate correctly in this type scenario, it is not enough just to process and VPN traffic coming in from the outside, but outbound traffic must also be allowed. Panda 2006 0707-PGDIHT10-02-EN Panda GateDefender Integra Page 9 of 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information