Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

VPN3000 terminating clients to private interface.

Our VPN 3030 is set up parallel to our firewall such that it has a single connection to the public and a single connection to our private network allowing users access to internal reasources from the internet. When wireless was deployed on our campus, it was decided that we would use the VPN to secure and authenticate wireless users. Most users are currently setup connecting to the wireless network, which is behind the firewall, and then terminating a VPN session to the public network interface of the 3030 which works fine. The draw back is that when a user wants to use the wireless network to browse the internet, that user uses a single translation through the firewall to connect to the VPN public interface and then another translation to connect out from the VPN to the internet. To avoid having the loop, I would like to teminate internal VPN users on the private interface of the 3030. As the concentrator is currently set up, it is possible to form a session on the private interface, but I wanted to know if that is by design how the system was meant to work (which is my understanding) or if allowing VPN sessions to terminate on the private interface is insecure and shouldn't be allowed. Thanks in advance for any advice that is offered.


Re: VPN3000 terminating clients to private interface.

if the wireless network is behind the firewall, why do they want to make connections to the vpn?

New Member

Re: VPN3000 terminating clients to private interface.

The mandate set out by the university was that if we deployed wireless, we would not be able to restrict the students to certain operating systems or certain hardware to use it. That (at the time) ruled out using most versions of EAP for authentication/encryption as far as what we had seen and tested. The VPN option was proposed as a solution to allow multiple different operating systems (there seems to be a pretty good distribution of clients across operating systems) and hardware types to connect to the wireless network and still maintain good encryption and authentication. Each access point is configured with a vlan for just wireless clients. These vlans are restricted at the router with ACLs that allow only dhcp client traffic and VPN sessions to our concentrator out, and dhcp server traffic and VPN session traffic from our concentrator in. This allows all types of hardware and operating systems to associate and obtain an IP and we still maintain authentication and encryption.

CreatePlease to create content