Can I use a Cisco 2821 as a VPN Concentrator

leslieb · ‎09-23-2009

I have a 10 Mb Fibre connection coming into a 2821 ISR that is doing NAT, etc... I have had issues in the past getting site to site VPN's working on it... The company recently purchased another 2821 with the SSLVPN module in it. I am wondering if I can set this router up strictly for VPN and remote access to offload VPN from the primary router. I want to hang the concentrator 2821off the main 2821 and I want to give the VPN Router one of my public IP's and route all VPN traffic from the main router to the VPN router.

I think this will work but I'm having a problem figuring out what the configuration would look like. If anyone can help me out, maybe point me in the right direction, it would be greatly appreciated.

Thanks in advance.

JORGE RODRIGUEZ · ‎09-25-2009

Hi, I don't see a reason why should not work.. you have the right idea.. having both routers running in parallel as long each have public IP facing the outside just as if you would have a VPN 3k concentrator.. same principle... both routers fastethernet would be touching your internal network.. so theorically should be no problem.

Jorge Rodriguez

leslieb · ‎09-25-2009

Attached is how I want it to work can you tell me if this will work?

JORGE RODRIGUEZ · ‎09-25-2009

My approahe would be your VPN router should have one leg facing internet with unique public IP and another interface facing inside just like your MAIN router.

The way you have it in diagram I don't see a way to have MAIN router recognized VPN traffic comming to that interface and send it to VPN router where Ipsec crypto be configured.

Jorge Rodriguez

leslieb · ‎09-25-2009

I will have a public IP on the main router that NAT's it tothe VPN router. When a remote client vpn's in they will be accessing the IP that is designated for the VPN router. So when the main router recieves that request it knows that it should go to the VPN router.Does that make sense?

JORGE RODRIGUEZ · ‎09-25-2009

Yes it makes sence but I believe when you configure in MAIN router the other interface with public IP that is under the same IP scheme from the other interface you will get error IP address overlapps with the other interface..

Jorge Rodriguez

leslieb · ‎09-25-2009

...IPS are subbed...

i will configure the outside interface with a public ip x.x.x.x the inside will have a 192.169.1.1 IP with a secondary IP of 172.20.1.1 There will a nat entry that says public ip vpn.vpn.vpn.vpn goes to 172.20.1.2 which will be the outside interface of the vpn router. the inside interface IP is where i am havin issues deciding how it will be able to access the regular LAN. Am I not getting it? Sorry still a little green with Cisco.

JORGE RODRIGUEZ · ‎09-25-2009

I see.. have not come acrross a scenario like this .. so your VPN router 172.20.1.2 is ip nat outside, is the inside interface ip nat inside ? for VPN router to know about your LAN there has to be some type of routing going - either static routing or dynamic routing.. let me ask have you already try RA vpn connections to that VPN router and have that RA connection at least be able to ping VPN router inside interface.?

Jorge Rodriguez