Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
448
Views
0
Helpful
2
Replies

I need some advice on W2K RRAS/VPN + CISCO 2620 + NAT

mark.forsyth
Level 1
Level 1

‎11-19-2001 04:22 PM - edited ‎02-21-2020 11:30 AM

I need some advice on using W2K RRAS server and a CISCO 2620 (with IOS inbuilt firewall).

Please excuse me for my simplicity, but I'm not very Cisco conversant but I do know some of the basics.

At the moment I have a cisco 2620 as the router/firewall for our network with all PCs behind it using NAT (overload I think) on 4 IP addresses for Internet use and the remaining external IPs for servers such as mail, web.

At the moment the internal side of the router is 10.0.0.9 and all PCs point to this as a gateway. Now what I would like is to incorporate a Windows 2K RRAS server with VPN (SERVER A) which will have 2 NICs, one internal (10.0.0.9 so don't need to change gateway for LANside PCs) and the other external and attached directly to the router via a crossover I suppose. From this arrangement I would have internal/external bound network traffic passing via

SERVER A in which I could then control and, at will, view the content the traffic that passes through this connection. Later on I would like to add ISA Server to this SERVER A.

My Primary concern is security and control over traffic content.

Question 1: Is there any major disadvantage to this arrangement (besides being Microsoft !)?

Question 1a: Would this overload Server A? Would it slow down traffic much?

Question 2: For the Internal PCs I suppose I would need NAT. Which device should this best be done on (Server A or Router)?

Question 2a: Should I bother with NAT?

Question 3: Can I still incorporate the Cisco IOS firewall?

Question 4: How could all this be done more intelligently?

Any advice, most appreciated.

Labels:
0 Helpful
2 Replies 2

s.jankowski
Level 4
Level 4

‎11-27-2001 06:48 AM

I would leave the MS server on your network but not funnel all the traffic through it. You connectivity will be down every time that server needs to be restored/rebuilt/rebooted. Not very reliable. You could use a VPN/IOS firewall image on the 2600 and terminate your VPN and firewall your network from there. It will be faster and more reliable. You can then send the syslog files to a server inside to monitor and account for your traffic. Those are my suggestions.

0 Helpful

edwong
Level 1
Level 1

‎12-08-2001 06:44 AM

Hi mark,

Have you successfully configured your win2k server to talk with PIX? I tried to do this but never success. My configuration now is exactly the same as you.But this is only my testing environment, I would rather use a pix to replace win2k as a firewall/vpn device which will be more reliable.

Back to my question, I have used NAT on win2k side, and configured ipsec policy to protect traffic between 2 lans. Do you know how can I do "no NAT" on win2k just like doing in PIX? How do you configure your RRAS?

Many thanks.

Edwong

0 Helpful
Customers Also Viewed These Support Documents