Results 1 to 5 of 5

Thread: VPN Networking Problems

  1. #1
    Forgotten Ghost RogueSpy's Avatar
    Join Date
    Aug 2001
    Location
    Cyberspace
    Posts
    783

    Post VPN Networking Problems

    I currently help run a VPN network between 2 buisnesses. . . Most everything is running good, but we have 1 slight problem. We have networkA & NetworkB connected via VPN. One of the other Admins has his home system VPNed to NetworkA server. Right now, the whole network can see what is on his system but he dosn't want the whole network to see. How can we set it up to where he can see the whole network but they cant access his system? Any ideas would be appreciated.
    "Never give in-never, never, never, in nothing great or small, large or petty, never give in to convictions of honor and good sense. Never yield to force; never yield to the apparently overwhelming might of the enemy!" - Winston Churchill

  2. #2
    Junior Member
    Join Date
    Jul 2001
    Posts
    11

    that depends

    I'd say that it depends on how you have the vpn set up; most particularly what FW software/hardware is being used? If you're running CheckPoint, then simply putting a rule on each firewall with source 'any' and destination 'his-apartment-net' and the action 'drop' then that should do it. (you may have to open up some stuff like icmp if he needs to ping etc.) A similar thing can be done with NetScreen and those are the two platforms with which I'm most familiar...

  3. #3
    Forgotten Ghost RogueSpy's Avatar
    Join Date
    Aug 2001
    Location
    Cyberspace
    Posts
    783
    We are running SonicWall hardware Firewalls. And Win2kProServ
    "Never give in-never, never, never, in nothing great or small, large or petty, never give in to convictions of honor and good sense. Never yield to force; never yield to the apparently overwhelming might of the enemy!" - Winston Churchill

  4. #4
    Junior Member
    Join Date
    Jul 2001
    Posts
    11

    well, i'll take a stab at it

    Let me preface this by saying that I've never worked with a SonicWall device, so these ideas are offered with no guaruntees.

    It looks like if you go into the 'access' section of the web management interface and then click on the 'rules' tab you'll be able to add a new rule preventing access from the netA and netB to the remote user. Since they use stateful inspection (according to the webpage) it should be able to allow the home user to initiate a connection to machines on the nets A and B, but not allow machines on those nets to initiate connections to the home user.

    The only thing that I'm not sure about here is the whole "windows advertising to its neighbors" thing. If that still gets though you could try blocking ports 135, 137, and 139 (i think those are the only ones that windows uses for network neighborhood etc.) from the home user to the internal nets, however this might have the unintended side effect of limiting what the home user can do (i.e. he won't be able to brows shared drives etc.) a workaround might be, since i'm assuming he also has administrative control of the FWs, to place the above mentioned blocking rule in the ruleset, but have him disable the rule only when necessary. This does still leave his system visible, but only for a short period of time, and for that matter if he's using win2k, he should be able to lock down what other people can see on his machine anyway (restrict anonymous ipc connections etc.)

    Hope that helps.

  5. #5
    Forgotten Ghost RogueSpy's Avatar
    Join Date
    Aug 2001
    Location
    Cyberspace
    Posts
    783

    Wink

    Thanks for your help.
    "Never give in-never, never, never, in nothing great or small, large or petty, never give in to convictions of honor and good sense. Never yield to force; never yield to the apparently overwhelming might of the enemy!" - Winston Churchill

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •