[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [afnog] Oposite of VPN ?

To: Mohamadi ZONGO <mzongo at zcp.bf>
Subject: Re: [afnog] Oposite of VPN ?
From: Brian Candler <B.Candler at pobox.com>
Date: Sat, 16 Aug 2003 10:27:36 +0100
Cc: afnog at afnog.org
Content-Disposition: inline
Content-Type: text/plain; charset=us-ascii
Delivered-To: afnog-archive at lists.eahd.or.ug
Delivered-To: afnog at afnog.org
In-Reply-To: <1060979562.3f3d436a5eccc at webmail.zcp.bf>
List-Archive: <http://listserv4.cfi.co.ug/pipermail/afnog>
List-Help: <mailto:afnog-request at afnog.org?subject=help>
List-Id: The AfNOG general discussion list <afnog.afnog.org>
List-Post: <mailto:afnog at afnog.org>
List-Subscribe: <http://listserv4.cfi.co.ug/mailman/listinfo/afnog>,<mailto:afnog-request at afnog.org?subject=subscribe>
List-Unsubscribe: <http://listserv4.cfi.co.ug/mailman/listinfo/afnog>,<mailto:afnog-request at afnog.org?subject=unsubscribe>
References: <1060979562.3f3d436a5eccc at webmail.zcp.bf>
Sender: afnog-bounces at afnog.org
User-Agent: Mutt/1.4.1i

On Fri, Aug 15, 2003 at 08:32:42PM +0000, Mohamadi ZONGO wrote:
> The diagram look like this :
> 
> INTERNET                     Intranet
>    /                         leased
>    /                         line
>    R1----+---- FW ----+----R2=========R3-----+-------+
>          /            /                      /       /
>          /           /                      /       / 
>         VPN1      TRUSTED NET1     TRUSTED NET2    VPN2---+--  
>                                                           /
>                                                           /
>    ^^^^^^^^^^                                      CYBERCAFE(UNTRUSTED)
>    UNTRUSTED

Absolutely. As long as VPN1 and VPN2 can 'see' each other's outside IP
address, i.e. FW policy permits the tunnel packets between VPN1 and VPN2,
and VPN2 routes *all* cybercafe traffic over the tunnel, this will be fine.
If someone in the cybercafe were to try to access the trusted net, they
would find themselves on the 'outside' of FW.

R1 will probably have a static route for the subnet you've allocated to the
cybercafe pointing at VPN1 (unless VPN1 participates in your IGP)

Regards,

Brian.
__________________________________________________
This is the Africa Network Operators' Group(AfNOG) 
technical discussion list.
The AfNOG website is: <http://www.afnog.org>

References:
- [afnog] Oposite of VPN ?
  - From: Mohamadi ZONGO <mzongo at zcp.bf>
- [afnog] Oposite of VPN ?
  - From: Mohamadi ZONGO <mzongo at zcp.bf>

Prev by Date: Re: [afnog] Red Hat 8.0 as a router
Next by Date: Re: [afnog] Red Hat 8.0 as a router
Prev by thread: [afnog] Oposite of VPN ?
Next by thread: [afnog] RE: mailmonitor
Index(es):
- Date
- Thread