Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
228
Views
0
Helpful
2
Replies

VPN3000 terminating clients to private interface.

rbays@angelo.edu
Level 1
Level 1

‎02-20-2004 09:26 AM - edited ‎03-09-2019 06:30 AM

Our VPN 3030 is set up parallel to our firewall such that it has a single connection to the public and a single connection to our private network allowing users access to internal reasources from the internet. When wireless was deployed on our campus, it was decided that we would use the VPN to secure and authenticate wireless users. Most users are currently setup connecting to the wireless network, which is behind the firewall, and then terminating a VPN session to the public network interface of the 3030 which works fine. The draw back is that when a user wants to use the wireless network to browse the internet, that user uses a single translation through the firewall to connect to the VPN public interface and then another translation to connect out from the VPN to the internet. To avoid having the loop, I would like to teminate internal VPN users on the private interface of the 3030. As the concentrator is currently set up, it is possible to form a session on the private interface, but I wanted to know if that is by design how the system was meant to work (which is my understanding) or if allowing VPN sessions to terminate on the private interface is insecure and shouldn't be allowed. Thanks in advance for any advice that is offered.

Labels:
0 Helpful
2 Replies 2

mostiguy
Level 6
Level 6

‎02-20-2004 10:49 AM

if the wireless network is behind the firewall, why do they want to make connections to the vpn?

0 Helpful

rbays@angelo.edu
Level 1
Level 1
In response to mostiguy

‎02-20-2004 01:20 PM

The mandate set out by the university was that if we deployed wireless, we would not be able to restrict the students to certain operating systems or certain hardware to use it. That (at the time) ruled out using most versions of EAP for authentication/encryption as far as what we had seen and tested. The VPN option was proposed as a solution to allow multiple different operating systems (there seems to be a pretty good distribution of clients across operating systems) and hardware types to connect to the wireless network and still maintain good encryption and authentication. Each access point is configured with a vlan for just wireless clients. These vlans are restricted at the router with ACLs that allow only dhcp client traffic and VPN sessions to our concentrator out, and dhcp server traffic and VPN session traffic from our concentrator in. This allows all types of hardware and operating systems to associate and obtain an IP and we still maintain authentication and encryption.

0 Helpful
Customers Also Viewed These Support Documents