Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
243
Views
0
Helpful
2
Replies

CAN WE DO ENCRYPTION AND ROUTING OVER SINGLE INTERFACE OF THE ROUTER??

kvkrishna
Level 1
Level 1

‎02-21-2007 02:37 AM - edited ‎03-09-2019 05:26 PM

Hi,

Below is my network set up.

VPN Router

Site 2

------

|

|(Internet Cloud)

|

Site 1

------

InternetRouter

|

|

Firewall----VPNRouter(having 1 interface)

|

|

LANSwitching

|

PC

I would wish to achieve a site to site VPN from the VPNRouter connected to the firewall in Site 1 to the VPN Router in the site 2.

If you could notice i have only one interface for the VPNRouter(Site 1) and so the traffic from the PC in the Site 1 LAN when trying to establish connectivity to the servers in the Site 2 when going to the second phase(with the help of the interesting traffic) needs to do both encryption as well as routing through the same available single interface only.Is this possible.

Am sure the first phase would happen, but when going to the second phase the interesting traffic has to go from the PC to Firewall to VPNRouter(get encrypted and as well route the traffic to the same Firewall interface again) to the InternetRouter and to the Site 2 VPN Router.So is that second phase possible?

Kindly let me know if i can go for such a solution and is it possible.

Regards,

Jithesh

Labels:
0 Helpful
2 Replies 2

kaachary
Cisco Employee
Cisco Employee

‎02-21-2007 03:46 AM

Jithesh,

This would be interesting..!!

First of all you need to disable "ip redirects" on the Router's intf.

The default gateway for the LAN would be the FW.

E.G. Let's say the local n/w on Site 2 is 10.x.x.x and local n/w on Site 1 is 11.x.x.x

Say, router is conneected to dmz of the FW.

The FW would have a route:

route dmz 10.x.x.x 255.0.0.0

And on Router, you have a route :

ip route 0.0.0.0 0.0.0.0

So,traffic originating from site 1 LAN, when needs to go to site 2 LAN, will hit the PIX, and then would be routed to the router, the router will check the default gateway, would again send it to the PIX but after encrypting it.

The PIX will then route the encrypted traffic across the internet. The return traffic will hit the router through the PIX, will be decrypted, the router will then send the decrypted traffic again to PIX, and PIX will then route it inside.

Phew !!!

HTH,

-Kanishka

0 Helpful

daviddtran
Level 1
Level 1
In response to kaachary

‎02-21-2007 04:16 AM

Yes,

this can be done rather easily. Remember, the

VPN router is NOT a pix so these things can

be done rather easily. Furthermore, you can

do it on a VPN concentrator as well.

David

CCIE security

0 Helpful
Customers Also Viewed These Support Documents