Dual VPN locations?

Unanswered Question
Nov 3rd, 2005
User Badges:

I am a network engineer in a large medical practice. We have physicians that need access to two seperate network enviroments. Currently they have access to the universities resources using the Cisco IPsec Client. Is there a way to add security policy to the current client to allow the physicians to access our network if we adopt a Cisco VPN appliance? Our firewall is not Cisco.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
thisisshanky Thu, 11/03/2005 - 13:21
User Badges:
  • Purple, 4500 points or more

Are you trying to achieve redundancy, as far as (vpn to one location fails, add a backup site) ?


You can add a second connection in the ipsec client and have the doctors connect via that client, when they need to access your network. You cannot have two connections active at the same time.

jackko Thu, 11/03/2005 - 14:46
User Badges:
  • Gold, 750 points or more

assuming you are referring the physicians to have 2 vpn connections at the same time, it's not feasible as the vpn client software doesn't support more than 1 active vpn at a time.


however, depends on what sort of device you've got, you can configure "hub-spoke" vpn. i.e. the physicians establish a vpn to net1 and then accessing net2 via net1.

cphillips_utmg Fri, 11/04/2005 - 05:11
User Badges:

The physcians and business managers work under two different organizations. The two vpns are totally isolated from each other. One is a university where they are involved in the academic enviroment the other is group private practice. What Cisco appliance do you see that I should lean towards, our firewall is a Juniper. Thanks in advance - I appreciate all answers.

jackko Fri, 11/04/2005 - 05:56
User Badges:
  • Gold, 750 points or more

you may get a pix to run lan-lan vpn to those two different locations.


ezvpn may not be feasible as one unit can't act as 2 different ezvpn clients.

cphillips_utmg Fri, 11/04/2005 - 06:04
User Badges:

The need is as a pc client. The phycians work from multiple clinics, home, and while traveling at hotels. I do have "branch office" tunnels between hospitals but this need is outside the campus and into the world.


jackko Fri, 11/04/2005 - 06:42
User Badges:
  • Gold, 750 points or more

as mentioned the vpn client software is not capable to establish and maintain more than one vpn at a time, i guess the only way is to create a hub.


let say you deploy a hub (i.e. the vpn server) for remote vpn user. this hub itself would have other lan-lan vpn tunnels. thus the remote vpn user can access those resources via the hub.


e.g.

remote vpn user <--> www/vpn <--> your office...

...

your office <--> www/vpn <--> other sites


to choose the device as a hub, you may use pix v7, asa, router with firewall feature set, or a vpn concentrator.

cphillips_utmg Fri, 11/04/2005 - 07:44
User Badges:

Sorry I didn't clarify.

The user will only be attaching in an either or not a both situation at the same time.



cphillips_utmg Fri, 11/04/2005 - 08:06
User Badges:

Sorry - I hadn't clarified this.

The user will only be connecting to one at a time.

This is an either or not both at the same time need.


Richard Burts Fri, 11/04/2005 - 09:38
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Calvin


I have not fully digested this thread. But if I understand correctly you have physicians who currently use VPN client software to access one network environment. And you want to add the capability for them to access a different network environment. The access would be either/or (connect to the University or connect to the Practice) but not both at the same time.


That should be easy to do. The VPN client has the ability to configure different destinations and the user can choose which one he wants to connect to when the connection is established.


There are several hardware platforms that could be used for this. As I understand your environment I would probably recommend something in the Cisco 3000 line of VPN concentrators. It could be done on a PIX, but since you already have a firewall I would think the PIX would be not the optimum choice for you. It could also be done on a router, but I would suggest for you a platform that is dedicated to this function.


HTH


Rick

cphillips_utmg Fri, 11/04/2005 - 11:48
User Badges:

You have the picture correct.


Now - Which 3000 can handle my 200-300 online users, the total user base would be about double that.



Thanks!

jackko Fri, 11/04/2005 - 18:51
User Badges:
  • Gold, 750 points or more

please excuse me for misunderstanding.


according to cisco, concentrator 3005 supports remote vpn user up to 200; the 3020 supports remote vpn user up to 750.


for more details:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/prod_models_comparison.html


with the vpn client software, you can create and import multiple profiles (i.e. *.pcf), which would establish remote vpn tunnel to different locations.


also you mentioned you've got a juniper firewall in place, you may deploy the concentrator at the dmz and perform 1-to-1 nat on the juniper firewall. an inbound acl is required in permitting the following:


udp 500

udp 4500

ip 50

Richard Burts Sat, 11/05/2005 - 06:26
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Calvin


If you have 200 to 300 online users and total user base is double that I believe that the 3005 is too limited for you. I believe that the 3020 would be a better fit. Cisco claims it supports up to 750 IPSec client sessions. If you thought that demand might increase you might consider the 3030 which Cisco claims supports up to 1500 IPSec client sessions.


HTH


Rick

Actions

This Discussion