On Wednesday 11 July 2001 11:54, you wrote:

I work for a college with 3 sites, with wan links in between each, with 2 seperate networks per site, which means 6 networks over my wan.

Im hoping to set up a DMZ over the summer, and putting my web server, dns and mail server in there. Thing is, i have another server on another site that i'd also like inside my DMZ. what i'd like to do is set up some sort of tunnel (i dont know if you can do this) from the external site to my DMZ. Sort of like this:

Well, regardless whether this is feasible technically, this would go *directly* against what a DMZ tries to accomplish in the first place. A DMZ is meant to isolate a bunch of servers so that, in the case one does get compromised, the problem stays "contained" (i.e. the LAN itself still remains secure). By setting up a VPN tunnel from the DMZ to one of your LANs, you break that . So, maybe you'd like to reconsider...? Else, if you are not able to reconsider, sorry I bothered you. ;-) Maarten

box needs being in DMZ ---> tunnel box ---> WAN links ----> Box inside DMZ

Then, any requests for the "box needs being in DMZ" can be directed to the "box inside DMZ", which then sends any data down over the tunnel directly to the "box needs being in DMZ".

heres another diagram in case imnot being very clear:

router ---------------------- wan router DMZ

| box inside DMZ

------------------ extsite1 extsite2 ext site3 ---- ---- ----

Tunnel box

box needs being in DMZ

-- Instead, only try to realize the truth. There ís no blue pill. Maarten J H van den Berg van Boetzelaer van Bemmel, informatie- en netwerktechnologie http://vbvb.nl T 020-4233288 F 020-4233286 G 06-51994273