Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Filtering VPN 3000 with multiple companies and internet access?

Hello,

We have a scenario where we want up to 6 companies to connect to a 3000 concentrator from 3002 HW-clients. The companies should be able to have access to e few machines at the central site and and at the same time have internet access. We will be using network extension mode. They should not be allowed to use spit-tunnel and we want all internet traffic to go through the central site.

Anyone think that using the 3000 for this "filtering" is a good idea or shuld we use an external router with policy routing?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Filtering VPN 3000 with multiple companies and internet acce

I would use the 3000 to terminate the tunnels, and put it in parallel with your company firewall. Set the Tunnel Default Gateway on the 3000 to be the firewall's inside IP address, and add a static route on the 3000 for your internal network pointing to your inside next-hop router. Add static routes on your firewall for the remote VPN networks pointing to the inside IP address of the VPN3000. This way any VPN traffic destined for your inside network will go to your inside router, and anything else (Internet traffic), will go to your firewall and get routed out to the Internet.

As for where you put the filters, you could put them either on the 3000, but personally I don't like the filter - rule stuff in the 3000 too much. I'd put an access-list on your inside router (the one that the static route points to) that simply allows the specific remote networks to get to the specific inside hosts and nothing else, this is a lot easier to manage.

3 REPLIES
Cisco Employee

Re: Filtering VPN 3000 with multiple companies and internet acce

I would use the 3000 to terminate the tunnels, and put it in parallel with your company firewall. Set the Tunnel Default Gateway on the 3000 to be the firewall's inside IP address, and add a static route on the 3000 for your internal network pointing to your inside next-hop router. Add static routes on your firewall for the remote VPN networks pointing to the inside IP address of the VPN3000. This way any VPN traffic destined for your inside network will go to your inside router, and anything else (Internet traffic), will go to your firewall and get routed out to the Internet.

As for where you put the filters, you could put them either on the 3000, but personally I don't like the filter - rule stuff in the 3000 too much. I'd put an access-list on your inside router (the one that the static route points to) that simply allows the specific remote networks to get to the specific inside hosts and nothing else, this is a lot easier to manage.

Community Member

Re: Filtering VPN 3000 with multiple companies and internet acce

Hi,

I have a similar configuration which a 3005 concentrator in parallel with a PIX firewall. All clients and servers are using the PIX inside interface as the default gateway. The private network has only 1 subnet therefore no internal router is presented. Recently a site to site VPN is need to set up to the remote office by using the concentrator. But the problem is the routing issue, the route to the remote network can't be add to the PIX since the PIX would not route packet out from the interface it receives. How to resolve this issue?

Community Member

Re: Filtering VPN 3000 with multiple companies and internet acce

Why would you want all internet traffic to go through the central site ??

Surely this places a higher load on the concentrator, firewall and internet connection at the central site.

I am in the process of studying for the CSVPN exam and any feedback would be great.

83
Views
10
Helpful
3
Replies
CreatePlease to create content