Remote Access VPN redesign question

mchockalingam · ‎10-30-2007

Hi All,

I currently have a 3020 VPN concentrator where the public interface is on the DMZ and the private interface is on the internal network.

I am in the process of redesigning it where the public interface will be on the DMZ and the private interface will be on another interface on the firewall.

Will the tunnel default gateway be the firewall interface ip of the private side?

Clients receive the IP on the same subnet as the private interface. I read on some posting that this creates problems. I do not really understand how though.

thanks,

htarra · ‎11-05-2007

The tunnel default gateway must be an internal router on your own site which is on the same subnet as the private interface of the vpn concentrator. Add specific host routes with a destination of the Tunnel Default Gateway for the IP addresses of the machines that need to be reached by clients on the Public side of the Concentrator. This will of course prevent proper communication from the Concentrator to these machines but will allow the clients access

mchockalingam · ‎11-07-2007

Thanks for the reply.

I have another question. This is how the VPN concentrator will be placed in our network

VPN Client -> Internet Router -> Perimeter Firewall -> VPN Concentrator -> Intranet Firewall -> Intranet Router

I have the public IP on the VPN concentrator as 10.10.224.15/22. I have the private (inside ) IP as 10.10.228.11/22. I have the client VPN pool defined as 10.10.228.25 - 10.10.231.250 which is on the same subnet as the inside interface.

Will the VPN concentrator proxy arp for the VPN client adresses? Or do I need to assign the client pool from a different subnet say 10.10.232.0/22?

Any help would be appreciated.