Start of change

Scenario: Firewall Friendly VPN

In this scenario, a large insurance company wants to establish a VPN between a gateway in Chicago and a host in Minneapolis when both networks are behind a firewall.

Situation

Suppose you are a large home owner’s insurance company based in Minneapolis and you just opened a new branch in Chicago. Your Chicago branch needs to access the customer database from the Minneapolis headquarters. You want to make sure the information being transferred is secure because the database contains confidential information about your customers such as, names, addresses, and phone numbers. You decide to connect both branches over the internet using a Virtual Private Network (VPN). Both branches are behind a firewall and are using Network Address Translation (NAT) to hide their unregistered private IP addresses behind a set of registered IP addresses. However, VPN connections have some well known incompatibilities with NAT. A VPN connection discards packets sent through a NAT device because NAT changes the IP address in the packet, thereby invalidating the packet. However, you can still use a VPN connection with NAT if you implement UDP encapsulation.

In this scenario, the private IP address from the Chicago network is put in a new IP header and gets translated when it goes through Firewall-C (see following image). Then, when the packet reaches the Firewall-D, it will translate the destination IP address to the IP address of System-E, therefore the packet will be forwarded to System-E. Finally, when the packet reaches System-E it strips off the UDP header, leaving the original IPSec packet, which will now pass all validations and allow a secure VPN connection.

Objectives

In this scenario, a large insurance company wants to establish a VPN between a gateway in Chicago (Client) and a host in Minneapolis (Server) when both networks are behind a firewall.

The objectives of this scenario are as follows:

Details

The following figure illustrates the network characteristics for this scenario:



Chicago Network - Client

Minneapolis Network - Server

Configuration tasks

Related concepts
Key management
NAT compatible IPSec with UDP
End of change