Jump to content

Management in Action!!!


Recommended Posts


Below is the dialog between my manager and a member of the networking department. The networking department was changing some addresses in the VPN pool which required me to update our internal firewall rules that we use to regulate INTERNAL traffic to the financial servers.

One member of our team works remotely, and I asked the networking department if their VPN server could assign him a static IP address when he connects. The reason behind this is, currently when he connects he receives a different IP address each day. The internal firewall rules are based on IP addresses, therefore I must grant the entire pool of IP addresses access to all of the servers...which is not a good thing. If he had a static IP address, I could give him all the access he needs on the IP address and limit the other addresses in the pool.

Here was the response from the network guy:

Originally posted by Network-Guy


This may be a really dumb question, but aren't these systems behind "your" Firewall? Wouldn't it make sense for YOU to Tunnel this traffic yourself? I would assume you have VPN capability with your Firewall, correct?

Just an idea ...

Network Guy

I was outraged. Of course the internal firewall supports VPN capability, but what is required to set it up, is costly in both time and money. We would need to setup a method of authentication into VPN (username/password) which must reside on a seperate server. Furthermore, we'd have to route a crapload of traffic back out to our intranet...Whereas now, the VPn is on the perimeter of the network, users gain access to internal resources...the internal firewall allows/blocks additional accesses based on which VPN group you are in.

Basically, "Network Guy" didn't want to check the checkbox next to the MIS Team member's name to give him a static IP address. Instead he'd rather have unstable setup a TACSAS or RADIUS server, plug users in, Setup NAT on the firewall as well as all of the routing tables.

I turned to my manager. Here is his response:

Originally posted by MIS-Manager

Network Guy,

It seems to me this makes for some unnecessarily circuitous routing as well as redundancy in having additional VPN servers.

If there's a technical reason why this shouldn't be done, I'm all ears and will of course look to a different solution.

However, in light of everyone's budgetary considerations I'd very much prefer CIS assign him a static IP if possible and avoid needing to add another server.

Appreciate your help.



Network Guy's response:

Originally posted by Network Guy

MIS Manager,

I didn't want to imply we weren't willing to work with unstable on this, I just thought it would make the "management" much easier for him. One other thing that will be happening in the "near future" is that we will be upgrading out VPN Concentrator, so we may need to address this again, depending on (any) differences to the next Cisco Model we end up with.

We can just pretend that I never interjected on this subject ;-)

Network Guy

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...