Site to Site VPN - Packet Life

CaptnAmerica 24 posts	20 Jul 2010 at 10:18 a.m. UTC When defining interesting traffic for site to site VPN, can we use summarized supernets? For example, say there were two sites: Site A has 3 subnets 172.16.110.0 /24 172.16.120.0 /24 172.16.130.0 /24 Site B has 3 subnets 172.17.110.0 /24 172.17.120.0 /24 172.17.130.0 /24 Being lazy, can we use 172.16.0.0/16 and 172.17.0.0 /16 to define interesting traffic? This would enable me to create more subnets without tweaking interesting traffic every time I create new VLANs for each sites. Thanks!
laith43d 109 posts	22 Jul 2010 at 6:50 p.m. UTC Yes you can, but it is not recommended as a security best practice.
caste381 12 posts	22 Jul 2010 at 7:05 p.m. UTC My idea is "if you don't need it, don't enable it".
CaptnAmerica 24 posts	23 Jul 2010 at 7:54 a.m. UTC Thanks Laith, that answers my question. I know its security best practices to only enable the vlan or even the few IPs within a subnet for site to site VPN and therefore defining granular interesting traffic with the ACLs. However if you don't have any site to site connections between you and the vendor and only have site to site VPN only within your own company, would it still present a big security risk?
pompeychimes 8 posts	24 Jul 2010 at 8:32 a.m. UTC You could use a /16 and just use filtering ACL's or FW rules to prevent traffic traversing the VPN. You could also use NAT and translate everything into a single IP before traversing the VPN. James

Viewing 1 - 5 of 5