Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site to Site VPN issues

Folks,

I am preparing a site-to-site VPN solution for an Application Service Provider. The company presently hosts email and archiving services for small to medium size businesses and they already have a windows 2003 based RRAS VPN (yucks!). Most the remote customer sites already have cisco routers connecting to internet and there are 50 of these (customers) , yielding an aggregated traffic density of 50 Mbps. I am deciding on deploying two head end 3700 series routers at the central site with load balancing. Each customers' router will have two IPSec tunnels to the ASP's central site for redundancy. I am still very much confused about the IP addressing issue. My questions are as follows :

most of the customer sites have overlapping private addressing with respect to the central site, and I know that NAT can solve this issue. How do I proceed about it so that all the customer sites can access the ASP network transparently...I mean can anyone tell how do Service Providers tackle this issue.

The technical manager is very much interested in deploying VPN 30xx concentrators as a solution. Since this is purely a site-to-site VPN infrastructure would this be a good idea ?

Thanx in advance for your time and help

Cheers

1 REPLY
Cisco Employee

Re: Site to Site VPN issues

Within the router NAT happens BEFORE IPSec, so it's relatively easy to simply NAT the customer site traffic to some specific IP address range, then encrypt and send it on to your central site. Provided you set up each of the 50 customer routers to NAT to a different address range, and your central site network has routes for all those NAT'd networks pointing back to the 3700's then you should be fine.

Similarly, the VPN3000's have a LAN-to-LAN tunnel feature with NAT'ing over the tunnel, so this would be a good solution for you.

You can read about this feature here:

http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_0/config/polmgt.htm#1454226

91
Views
0
Helpful
1
Replies
CreatePlease login to create content