Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN Advice - lots of questions

I've been tasked with looking at VPN Solutions for that will enable various offices to exchange information. We have a number of scenerios due to acquisition and I'm looking for some guidance, with some recommendations on the better solutions. I've never configured a VPN and hope that you'll be able to give me a starting point to work from.

Various Scenarios, note Head Office is Windows NT 4.0 RAS & RRAS based with ISDN and PSTN connections to satellite sites.

1. ISDN connection to satellite site with Cisco 800 Router connected to Ethernet network, Windows NT (IP only).

2. PSTN Dial-up Connection from satellite site, currently using RAS to dial RAS Server. Windows NT (IP) and few NT clients.

3. ADSL connection at Satellite site to local ISP (POP) enabling Email only via the Internet.

The options that I'm debating are:

1. Windows NT VPN Solution, RRAS & PPTP Server. Satellites will connect via a POP and use NT VPN Clients.

2. Upgrade IOS on 800 routers to support tunnelling (PPTP) and perhaps PIX and bigger satellite sites. Is it just an IOS upgrade for tunnelling? Can I use the VPN Client with NT, what about NT authentication?

3. Install hardware VPN solution (Cisco 2xxx Router) at some sites with ADSL connection to POP.

All suggestions and the pros and cons will be gratefully noted.



Re: VPN Advice - lots of questions

Even though it’s probably not possible to make specific recommendations in a forum like this, I’ll try and help you out. I would strongly recommend you have one of Cisco’s design engineers look at your site and topology to offer you a good design proposal.

If the 800’s are big enough for the traffic (IPsec takes a lot of processing) then yes, upgrade those. If you have to change out the routers, a 2600 series is good but may be excessive too (except from a growth standpoint). The 1700 series may be a cost-effective alternative.

I would put a big PIX at headquarters to be able to handle all of the tunnel terminations. Better to offload that work to a firewall then configuring it on the router. You’ll also have a great firewall solution at the same time.

If you plan to deploy the PPTP tunneling client to server, as long as you have no access-lists blocking any IP, it should work now without any change. The downsides are PPTP is slower, less secure and hard to administer (client configs, system restores, etc.) IPsec is so much more secure even in it’s 56 bit DES format but 3DES is very strong. It would be setup site-to site and all the administration is done on the routers and PIX’s so it’s transparent to the clients.

Finally, the VPN client can be used for client to network tunnels and currently supports Win 95/98 and NT. The new version for Windows 2000 is promised shortly. That would give remote users (i.e salespeople) the ability to connect from remote ISPs.

Hope this helps you out!

CreatePlease to create content