03-22-2007 06:14 AM - edited 03-03-2019 04:15 PM
We are trying to deploy 831s or 871s as a work from home solution using VPN. The basic setup works great as far as setting up easyvpn and having the switch ports on the router connect back to the corporate network. Is it possible, however, to set up one of the switch ports to bypass the tunnel and have unrestricted access to the internet. The basic layout would be the DSL/Cable modem would connect to the WAN port on the 831 or 871. Then, we would like to have one switch port connect to their "home" unrestricted network so that if they are using a corporate computer, they go through the corporate network, but if they are using a personal computer, it has unrestricted access to the internet. Is this scenario a possibilty? I haven't been able to find any documentation on this kind of setup. Not sure that the DMZ setup is what I am looking for. Can't find any documentation on setting up a virtual template and assigning ports to it. I know that the 831 and 871 are different architecturally and configuration wise but at this point, I'm mostly looking for a very basic answer. Any help would be greatly appreciated.
03-24-2007 04:37 PM
Have you considered simply placing the 831/871 behind a DSL/Cable router? Typically most home users already have a DSL/Cable router. The only downside is you are NAT'ing IPSEC traffic. I would not recommend IPSEC over NAT for a large office deployment but it works great for a home user.
I had an 831 configured for easyvpn behind my linksys for a year or so with zero issues. I eventually upgraded my Linksys to an 831 acting as a simple cable firewall router. I also had zero issues with the easyvpn 831 behind the cable firewall 831 router.
This also makes it easier on the user. If their PC is plugged into their DSL/Cable router, they have unrestricted access to the Internet. If their PC is plugged into the 831, they are on the corporate network.
If you only wanted to use the 831/871, then you could configure split tunneling. All traffic destined for the Internet would not go through the crypto tunnel. Most security teams would frown upon split tunnels for obvious reasons.
03-26-2007 02:16 PM
I was able to get the DMZ to work as my internal home network. Just had to use NAT to translate my home network to the internet.
03-30-2007 11:50 AM
You need to create a separate VLAN on your 871
Example.
VLAN 1 - corporate network
VLAN 2 - home network
VLAN2 will have different IP and ACL will not include it into VPN traffic.
Basic IOS on 871 doesn't support many VLANs.
You need to update the IOS.
03-30-2007 12:31 PM
Yep. We discovered that we had to upgrade the IOS to make lots of things work.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide