Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

I need some advice on W2K RRAS/VPN + CISCO 2620 + NAT

I need some advice on using W2K RRAS server and a CISCO 2620 (with IOS inbuilt firewall).

Please excuse me for my simplicity, but I'm not very Cisco conversant but I do know some of the basics.

At the moment I have a cisco 2620 as the router/firewall for our network with all PCs behind it using NAT (overload I think) on 4 IP addresses for Internet use and the remaining external IPs for servers such as mail, web.

At the moment the internal side of the router is and all PCs point to this as a gateway. Now what I would like is to incorporate a Windows 2K RRAS server with VPN (SERVER A) which will have 2 NICs, one internal ( so don't need to change gateway for LANside PCs) and the other external and attached directly to the router via a crossover I suppose. From this arrangement I would have internal/external bound network traffic passing via

SERVER A in which I could then control and, at will, view the content the traffic that passes through this connection. Later on I would like to add ISA Server to this SERVER A.

My Primary concern is security and control over traffic content.

Question 1: Is there any major disadvantage to this arrangement (besides being Microsoft !)?

Question 1a: Would this overload Server A? Would it slow down traffic much?

Question 2: For the Internal PCs I suppose I would need NAT. Which device should this best be done on (Server A or Router)?

Question 2a: Should I bother with NAT?

Question 3: Can I still incorporate the Cisco IOS firewall?

Question 4: How could all this be done more intelligently?

Any advice, most appreciated.

  • Other Security Subjects

Re: I need some advice on W2K RRAS/VPN + CISCO 2620 + NAT

I would leave the MS server on your network but not funnel all the traffic through it. You connectivity will be down every time that server needs to be restored/rebuilt/rebooted. Not very reliable. You could use a VPN/IOS firewall image on the 2600 and terminate your VPN and firewall your network from there. It will be faster and more reliable. You can then send the syslog files to a server inside to monitor and account for your traffic. Those are my suggestions.

New Member

Re: I need some advice on W2K RRAS/VPN + CISCO 2620 + NAT

Hi mark,

Have you successfully configured your win2k server to talk with PIX? I tried to do this but never success. My configuration now is exactly the same as you.But this is only my testing environment, I would rather use a pix to replace win2k as a firewall/vpn device which will be more reliable.

Back to my question, I have used NAT on win2k side, and configured ipsec policy to protect traffic between 2 lans. Do you know how can I do "no NAT" on win2k just like doing in PIX? How do you configure your RRAS?

Many thanks.