I’m a novice (>6 months experience) working in a rural area just looking for direction.
Here’s the scenario: An outside company wants to set up a VPN router in my network for access to cameras and wants me to give them a WAN Interface Static IP Address, Subnet, and Gateway info. I mostly understand what each part is individually, but I’m not sure what I’m doing for them.
Is this something to be configured in my firewall? Like am I trying to give them an IP address in there and do something with ACLs to allow them access?
Or do I need another public IP address from my company’s ISP?
Do I need more information from them in order to solve the problem?
I don’t understand what I’m looking for in order to just google it. Thanks for any help given.
If they are trying to place hardware (VPN router) into your network, then you’ll need additional static IP addresses from your ISP.
The fact that they want a static IP, gateway and subnet tells me that they want you to give their router a static IP that YOU pay for and “own” for their router. In my environment, I have our ISP’s router, which goes into a switch (DMZ) where I have different devices connected that need public IPs that are in a network that my ISP assigned me. So that little “network” is what they are asking for. Just like any other devices connected to a switch on a network that are then connected to a router, except outside your internal network.
Kind of depends on the topology you have for your ISP connection. If you only have one static IP and a connection from your ISP that just goes directly into your existing firewall, then it can require some work to accomplish all of the changes and purchasing of more IPs needed to support this vendors request. I’d personally push back in this scenario.
If you can’t give them a static of their own one way is if they configure the router they want to place on your network to -initiate- a tunnel from inside your org to them, then nat/pat will automatically occur as long as you allow their traffic outbound. I have a medical office doing this on my network. This does depend on their router being the initiator of the traffic.
You could also form a site to site IPSEC tunnel with their organization directly and allow them to access the cameras/equipment directly over that (likely will need to configure a tunnel, rules to allow certain IP’s from their end and yours, and possibly NAT over the tunnel for your IPs)
All of this fails to even scratch the surface of what they want you to have done behind their firewall once it’s in place.
Are you trying to accomplish a site to site VPN or a remote access VPN?
It does look like, from what you explained, that they are asking for a site to site vpn.
Your firewall should have a public IP, and the possibility to create ‘VPN tunnel’ ‘Site to site tunnel’ ‘IPSEC tunnel’, which would allow the external company to access your infrastructure.
Look up for ipsec tunnel doc and you’ll get it I think
If it’s unclear with them ask for precision if possible
they want NAT, at the very least some port forwarding, at worst a 1:1 NAT rule (in which case you might need to get another public IP from your ISP if you don’t have one free)
they’ll also need a default gateway and an internal IP/mask to put on the external interface of their router
they will want to terminate the ipsec tunnel on their router, not the OPs