Cisco Support Community
Community Member

wireless and VPN

We are going to deploy Wireless on our LAN. Beside the suggested Cisco policy for securing wireless we also want to to secure it with VPN. Has anybody done this that can point me where to start. We have a 3000 concentrator, can I user the external interface for this? THanks.

Our Wlan is on an internal network vlan 252 and our lan is the is on different vlans. internal network is


Community Member

Re: wireless and VPN

We just implemented the LEAP thing ourselves. My management also wanted to bring everything through our 3000 Concentrator but I managed to convince them that this was way overkill, not to mention an administrative and political nightmare. I could just imagine the number of support calls we would get when users are confronted with two different prompts. WHat happens when their VPN connection gets terminated for no good reason?

In addition you are now running LAN speed connections with IPSec through your concentrator. I wouldn't want to try this unless I had at least a 3030 with multiple SEP cards. One other thing is that VLAN's are not a security feature. It is possible to hop VLANs (Cisco has a doc out there somewhere concerning this. It isn't easy but they specifically stay not to consider a VLAN a security barrier).

Most of the hype about WEP being insecure has to do with implementations that do not use any encryption at all, but most magazine certified IT people don't get past the headlines anyway. While in theory 802.11b WEP can be cracked it isn't easy. And I have yet to see any reports of someone cracking a correctly implemented Cisco LEAP setup. It would much easier for a hacker to root a box in your DMZ (or internal network if you have holes in your firewall to them).

I basically put it that if they feel that wireless is that much of a threat then it needs to turned off.

Community Member

Re: wireless and VPN

thanks for the reply. We do have the acs and leap working and Also VPN but you do have to login twice. We are now trying certificates so users wouldn't have to login twice. I agree the more complex it is the more problems of supporting it. Hopefully our VPN will hold up. I have posed this questio to ou cisco SE. We will Accessing application via Citrix so it will very Thin. I don't know how much overhead IPSEC will be.

Thanks again.

CreatePlease to create content