Placing VPN Concentrator after the ISR Router

csaravanan · ‎09-29-2006

Hello,

I am new to vpn concentrator. This is a completely new LAN design.

I am going to place an 2811 ISR router on my edge and my routers private interface is to be connected to the VPN concentrator. My local area network switch is connected to the other interface of the concentrator.

My question is where will I be doing my NAT (for public access like webservers)whether its going to be in the router or in concentrator.

For example one of the user wants to access the webpage in my internal network. will the concentrator will bypass the traffic as regular and not as VPN.

a.kiprawih · ‎10-14-2006

VPN Concentrator (VPNC) is normally used to terminate IPSec/VPN traffic. You can either place it parallel with firewall, or terminate both private & public interfaces to firewall (to a different port).

VPNC only accepts VPN-related traffic (IPsec, PPTP,L2TP) coming from outside network into its public interface (as configured). Other than that, all will be rejected.

In your case, if you want to allow public/internet user to access your internal webserver that is NATted/mapped to a public IP, you should do it either on your internet router or firewall, not VPNC.

If you place your internal network/server behind VPNC (based on your statement "My local area network switch is connected to the other interface of the concentrator"), nothing is working here. VPNC cannot bypass traffic as regular traffic, or act like a transparent firewall, or do NAT.

BTW, are you using the VPNC to provide secure VPN access (IPSec VPN) and at the same time trying to do testing if it can do NAT/map your internal server to a public IP? If you do not have any firewall, you can at least placed it (the VPNC) parallel with internet router where the public interface should carry or NATted to public IP (do NAT in router), while the private interface carry internal/private IP.

Rgds,

AK