Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN tunnel within VPN tunnel

In order to secure imporant data we decided to place VPN 3005 between the private VLAN the servers are on and the rest of the network. We do have external VPN 5001 for the remote access and my concern is remote users coming to the network over external VPN and using resourses on the secure VLAN.

I am just wandering if anybody implemented similar scenario and what imlications, vpn client conflicts to expect, etc. I'll appreciate any sugestions on the design /implementation as well.

thanks. tat


Re: VPN tunnel within VPN tunnel

If the traffic from your end systems to your servers is highly sensitive and needs to be guarded against snooping, encrypting it is probably the best idea. The problem then would be what to do with the user traffic coming in via VPN 5001and directed to the servers. I guess I would have directed the traffic to a router with a lan-to-lan VPN connectivity to the concentrator next to the servers. On the other hand, if all that you are trying to do is to protect your server by restricting access to it, the ideal way to do that would be to use a PIX firewall. Users coming in from the outside via the VPN 5001 would end up on the ouitside interface of your PIX. Users on the local network would be placed on the inside interface. The servers would be placed on the DMZ. With this physical setup and using conduits or access-lists you can tightly contol access to the server.

New Member

Re: VPN tunnel within VPN tunnel

Thanks Donald, I think the 2nd scenario with the servers on DMZ would be more appropriate.

I appreciate your help.