Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
645
Views
0
Helpful
3
Replies

VPN inside network?

TheSturgie
Level 1
Level 1

‎07-20-2012 06:00 AM

Hi all,

I have a 2621 connecting my company to the net. It currently statically routes all traffic to the main server that controls web filtering etc. I also have a 1841 that I want to set up as a VPN server and a site to site tunnel to our cloud off site backup.

The topology is as follows;

                                              

                                Static route from outside interface on 2621 to 10.0.0.2    

Internet ----- 216.x.x.x -- 2621—10.0.0.254 -- 10.0.0.2—Server—192.168.1.2—LAN

Would it be better to place the VPN inside the network and forward all VPN traffic from the 2621 to it or simply replace the 2621? Are there any benefits to doing it either way?

I tried to get the VPN router to work in place of the 2621 and could connect to it but could not ping inside the network. I think it had to do with the address pool which I had set the same as the internal LAN – 192.168.1.x. I have read that the pool should be different from the LAN addresses…

I am not sure how to proceed! Any advice would be greatly appreciated.

Paul.

Labels:
0 Helpful
3 Replies 3

Karsten Iwen
VIP
VIP

‎07-20-2012 08:30 AM

Replacing the 2621 with the 1841 has a couple of benefits:

1) your setup is less complex and easier to maintain and configure

2) the 1841 still gets software-updates. I wouldn't keep a device directly connected to the internet if there are no updates for the device any more. But for this I'm probably more paranoid then the average admin ... ;-)

3) only one single point of failure instead of two when looking at your VPN-clients.

For your LAN-pool: It's perfectly ok to take an unused range from your inside LAN. That makes the routing much easier if VPNs and Internet-traffic is handled by different devices. But with a dedicated Pool you are much more flexible so that's the way which is most often recommended.

0 Helpful

TheSturgie
Level 1
Level 1
In response to Karsten Iwen

‎07-20-2012 11:56 AM

Thanks for the reply Karsten,

Ok, so I will replace the 2621.. Is it ok to keep my topology, or should I move all of the inside to the 192.x.x.x subnet? If the former, is there anything I should keep in mind?

Thanks for your help.

Paul

0 Helpful

Karsten Iwen
VIP
VIP
In response to TheSturgie

‎07-20-2012 02:07 PM

If you feel comfortable with that setup, just keep it that way. I personally don't like to send all traffic through a server as that limits the flexibility. You could get the same with a proxy in the subnet and WCCP which transparently redirects the traffic to the proxy. But nevertheless, the setup is nothing that is harmfull.

0 Helpful
Customers Also Viewed These Support Documents