Best way to tunnel?

hwmonkey · August 22, 2013, 11:37pm

I have a strange scenario.

NOC -> SXT1 -><- SXT2 -> NAT/Firewall -> SXT3 -><- SXT4 -> Private Network (172.17.x.x)
                                      -> SXT5 -><- SXT6 -> Private Network (172.17.x.x)
                                      -> Private Network (172.17.x.x)

The SXTs are all setup as bridges. The Private Network listed above is all the same private network. They are working well. But as setup, from the NOC, we cannot reach SXT3, SXT4, SXT5 or SXT6.

I would like to keep all traffic bridged as is, but create a tunnel for SNMP traffic and occassional maintenance. Overhead should be minimal. We are unable to make many changes to the NAT/Firewall (not ours) and they want to maintain the highest of security on their end (just adding a route is not acceptable).

What is the best approach?

THANKS!!

janisk · August 23, 2013, 12:45pm

establish a secured tunnel from within NAT area to outside NOC if that is allowed by firewall. route management traffic over the tunnel. If necessary filter all other stuff out to leave network secure (to not to compromise network security)

hwmonkey · August 23, 2013, 1:38pm

So, you are recommending:

assign a local ip on the SXT3, SXT4, SXT5,SXT6 common to the broadcast domain
assign a public ip on the SXT2
Punch a hole in the firewall to permit SXT3, SXT4, SXT5,SXT6 out to the public ip
Create an IPSEC link between SXT2 and SXT3, SXT4, SXT5,SXT6.

Is this what you recommend?