I am preparing a site-to-site VPN solution for an Application Service Provider. The company presently hosts email and archiving services for small to medium size businesses and they already have a windows 2003 based RRAS VPN (yucks!). Most the remote customer sites already have cisco routers connecting to internet and there are 50 of these (customers) , yielding an aggregated traffic density of 50 Mbps. I am deciding on deploying two head end 3700 series routers at the central site with load balancing. Each customers' router will have two IPSec tunnels to the ASP's central site for redundancy. I am still very much confused about the IP addressing issue. My questions are as follows :
most of the customer sites have overlapping private addressing with respect to the central site, and I know that NAT can solve this issue. How do I proceed about it so that all the customer sites can access the ASP network transparently...I mean can anyone tell how do Service Providers tackle this issue.
The technical manager is very much interested in deploying VPN 30xx concentrators as a solution. Since this is purely a site-to-site VPN infrastructure would this be a good idea ?
Within the router NAT happens BEFORE IPSec, so it's relatively easy to simply NAT the customer site traffic to some specific IP address range, then encrypt and send it on to your central site. Provided you set up each of the 50 customer routers to NAT to a different address range, and your central site network has routes for all those NAT'd networks pointing back to the 3700's then you should be fine.
Similarly, the VPN3000's have a LAN-to-LAN tunnel feature with NAT'ing over the tunnel, so this would be a good solution for you.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :