VPN Placement



I have built an IPSEC/L2TP vpn server using WIN2k Server.
I would like employees to be able to come in either
through dial up or ADSL, Cable etc. I am thinking about
placing the VPN server on the DMZ, however I am faced
immediately with one problem, for the VPN tunnels to work
I need to disable NAT on the outside interface of my
firewall b/c L2TP/IPSEC does not work with NAT. Am I
taking a high security risk in disabling NAT? Any
alternatives as to where I can place the VPN server. Any
suggestions would be greatly appreciated.

Herb Martin

NAT is not a true security method -- it is security through obscurity and
the limited security provided by generally requiring the internal machines
to INITIATE contact.

There are three basic positions for your VPN server: outside the (other
firewall), inside, or in parallel with it (on the same or a different box.)
Each has advantages and disadvantages.

First, do you have more than one IP for the external address? If not, your
choices are limited and you might do best to run the VPN server and the
NAT as the same box.


I am planning to place the VPN on the DMZ (in parallel
with the firewall). If I am to disable NAT on the outside
interface then I will need more than one public IP
address. In fact I will need a public IP address for every
machine on the DMZ including the VPN server of course
right?. Where would you personally place it?

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads