I am using a VPN client to get into the inside network (172.16.0.0/16). I understand the VPN switch will replace my public source address (188.8.131.52)with an adress on the 172.16.0.0 subnet on the inbound packet. Why can't my source address be left intact and the downstream core switch will just use the default gateway to push the return packet back to the vpn switch?
The way remote access client vpn's generally work is that they allocate an address to your PC that is from your company range. So the switch does not replace the public IP with the private IP, rather your client sends a packet with the source IP address in the 172.16.x.x range. This packet is then encapsulated within another packet header which uses the public IP address of your PC as the source address.
All the switch does is strip the outer header and forward on the packet with the original source IP address of 172.16.x.x.
The whole idea of a remote access VPN is that a user appears to be on the corporate network.
The 172.16.x.x address will be handed out by your concentrator or DHCP servers within your corporate LAN.
The encryption of the packet and the encapsultion of the packet with another packet header is done on the client PC.
The concentrator on receiving the packet will strip the outer header and decrypt, then send on to server etc. in corporate LAN.
When the return traffic is received from the server by the concentrator it encrypts the packet, adds the outer header with the public IP addressing and sends to client. Client then strips outer header, decrypts and processes traffic.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...