Can VPN Concentrator act as a routing gateway?

Unanswered Question
May 28th, 2008

Hi All,

I have a VPN 3005 behind a Cisco 1841 router. The Cisco 1841 is holding an internet connection. Now the VPN 3005 is acting as a VPN endpoint for internet Remote VPN coming in. And behind the "Private" interface of the VPN3005 there is a LAN(e.g. 10.0.0.0/24).

I would like to ask can this VPN3005 route traffic from Private(10.0.0.0/24) to Cisco 1841? Because I intend to let the 10.0.0.0/24 access internet without establishing a VPN tunnel to VPN3005's "Private" interface.

Anyone know?

Thanks!!!

Jason

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
srue Thu, 05/29/2008 - 10:46

yes it can. it might be a pain to set up, and it will decrease the overall security posture of the device itself. also, since the 3005 only does software encryption, the appliance will then be even more taxed. if you post a network diagram, maybe we can make other suggestions to integrate it into your network.

Richard Burts Thu, 05/29/2008 - 18:30

Jason

I have a customer who has been doing this. They have a LAN inside which goes through a VPN concentrator to get to a firewall and an Internet connection. It was in place when I started working with them so I can not speak to how difficult it is to set up. But it does not look like it was difficult.

HTH

Rick

netcraftjason Thu, 05/29/2008 - 20:27

Hi All,

Many thanks for your help!

I'm just to confirm if the VPN Concentrator can act as a routing gatway. The background of my question is based on a production environment. In this environment, there is having traffic only of incoming VPN connections(Remote access VPNs start from users on Internet). No outgoing traffic is passing through ASA--> VPN Concentrator --> Cisco 1841. (ASA is the gateway of the local LAN segment).

But in the future, two new zones will be created on ASA. One is for one part of user to go to internet. Another one is for third-party company on internet to get data. LAN to LAN VPN will be created between this third-party company's PIX506E and VPN Concentrator of my site.

Now I confirm that the VPN Concentrator can route traffic. So I think I can add these 2 new zones based on the existing production infrustructure.

Attached is the draft diagram for this case. Because this production network cannot be changed except adding new zones on ASA. So is it acceptable of my concept of adding those new zones on ASA?

Thanks!!!

Jason

Actions

This Discussion