Remote Access VPN redesign question

Unanswered Question
Oct 30th, 2007
User Badges:

Hi All,

I currently have a 3020 VPN concentrator where the public interface is on the DMZ and the private interface is on the internal network.

I am in the process of redesigning it where the public interface will be on the DMZ and the private interface will be on another interface on the firewall.

Will the tunnel default gateway be the firewall interface ip of the private side?

Clients receive the IP on the same subnet as the private interface. I read on some posting that this creates problems. I do not really understand how though.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
htarra Mon, 11/05/2007 - 13:59
User Badges:
  • Bronze, 100 points or more

The tunnel default gateway must be an internal router on your own site which is on the same subnet as the private interface of the vpn concentrator. Add specific host routes with a destination of the Tunnel Default Gateway for the IP addresses of the machines that need to be reached by clients on the Public side of the Concentrator. This will of course prevent proper communication from the Concentrator to these machines but will allow the clients access

mchockalingam Wed, 11/07/2007 - 07:50
User Badges:

Thanks for the reply.

I have another question. This is how the VPN concentrator will be placed in our network

VPN Client -> Internet Router -> Perimeter Firewall -> VPN Concentrator -> Intranet Firewall -> Intranet Router

I have the public IP on the VPN concentrator as I have the private (inside ) IP as I have the client VPN pool defined as - which is on the same subnet as the inside interface.

Will the VPN concentrator proxy arp for the VPN client adresses? Or do I need to assign the client pool from a different subnet say

Any help would be appreciated.


This Discussion