831/871W router question

Unanswered Question
Mar 22nd, 2007

We are trying to deploy 831s or 871s as a work from home solution using VPN. The basic setup works great as far as setting up easyvpn and having the switch ports on the router connect back to the corporate network. Is it possible, however, to set up one of the switch ports to bypass the tunnel and have unrestricted access to the internet. The basic layout would be the DSL/Cable modem would connect to the WAN port on the 831 or 871. Then, we would like to have one switch port connect to their "home" unrestricted network so that if they are using a corporate computer, they go through the corporate network, but if they are using a personal computer, it has unrestricted access to the internet. Is this scenario a possibilty? I haven't been able to find any documentation on this kind of setup. Not sure that the DMZ setup is what I am looking for. Can't find any documentation on setting up a virtual template and assigning ports to it. I know that the 831 and 871 are different architecturally and configuration wise but at this point, I'm mostly looking for a very basic answer. Any help would be greatly appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
koontzuap Sat, 03/24/2007 - 16:37

Have you considered simply placing the 831/871 behind a DSL/Cable router? Typically most home users already have a DSL/Cable router. The only downside is you are NAT'ing IPSEC traffic. I would not recommend IPSEC over NAT for a large office deployment but it works great for a home user.

I had an 831 configured for easyvpn behind my linksys for a year or so with zero issues. I eventually upgraded my Linksys to an 831 acting as a simple cable firewall router. I also had zero issues with the easyvpn 831 behind the cable firewall 831 router.

This also makes it easier on the user. If their PC is plugged into their DSL/Cable router, they have unrestricted access to the Internet. If their PC is plugged into the 831, they are on the corporate network.

If you only wanted to use the 831/871, then you could configure split tunneling. All traffic destined for the Internet would not go through the crypto tunnel. Most security teams would frown upon split tunnels for obvious reasons.

g.hammond Mon, 03/26/2007 - 14:16

I was able to get the DMZ to work as my internal home network. Just had to use NAT to translate my home network to the internet.

dawidwilk Fri, 03/30/2007 - 11:50

You need to create a separate VLAN on your 871

Example.

VLAN 1 - corporate network

VLAN 2 - home network

VLAN2 will have different IP and ACL will not include it into VPN traffic.

Basic IOS on 871 doesn't support many VLANs.

You need to update the IOS.

g.hammond Fri, 03/30/2007 - 12:31

Yep. We discovered that we had to upgrade the IOS to make lots of things work.

Actions

This Discussion