Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2331
Views
0
Helpful
2
Replies

hardware VPN gateway behind firewall - workable config?

Go to solution
socalrobg
Level 1
Level 1

‎08-06-2012 02:00 PM

We have 2 remote employees who have off/on difficulties with their software VPN client.  We're preparing to roll out VoIP phones to them, and don't want to open up our internal PBX to the net.  I would like to kill 2 birds with 1 stone by providing a hardware VPN to each employee in order to establish a gateway 2 gateway IP Sec VPN between their home office and the main office.  This should provide a more reliable connection and higher throughput, while allowing for the VoIP phone to connect through the VPN tunnel thus keeping our internal PBX secured.  So far so good.  From what I can tell the rv120w, rv220w, or cisco asa 5505 would do the trick.  Now for the difficulty - I don't want all personal traffic (Netflix streaming, whatever) from their homes traveling through the VPN tunnel.  So I'd like to allow the employee to maintain their own personal network, and within that personal network would be the hardware VPN device providing a secondary network using the VPN tunnel. 

It would look like this:

web :

   home wireless router: (dynamic public IP, 192.168.1.x private subnet)

       personal computer

       laptop

       network TV, etc

       hardware VPN device: (192.168.1.1 WAN IP, 192.168.2.x private subnet), IPSec VPN tunnel to main office (should use main office internal DNS)

         VoIP phone (192.168.2.1)

         Office computer (192.168.2.2)

Seems straightforward to me, but concerned about going through two NAT.  Seems like this would be the most preferred configuration for a home office that is sharing a single internet connection.  Found an old Cisco product that was geared towards this specific scenario - the Cisco VPN 3002; but it is end of life.

I'm also a bit wary of the poor consumer reviews of the various Cisco RV line routers.  Considering the Zyxel Zywall USG 20 as an alternative.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tom Watts
VIP Alumni
VIP Alumni

‎08-06-2012 02:07 PM

The RV120 and RV220W support split tunnel site to site VPN, therefore all 'cluttered' traffic would remain local to the home networks while the VPN traffic is exactly that.

You may want to consider installing one of the forementioned routers at the home locations to avoid double-NAT or additional purchases. The hardware VPN device does not seem practical considering the expense of a gateway to gateway VPN router is pretty inexpensive.

-Tom

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Tom Watts
VIP Alumni
VIP Alumni

‎08-06-2012 02:07 PM

The RV120 and RV220W support split tunnel site to site VPN, therefore all 'cluttered' traffic would remain local to the home networks while the VPN traffic is exactly that.

You may want to consider installing one of the forementioned routers at the home locations to avoid double-NAT or additional purchases. The hardware VPN device does not seem practical considering the expense of a gateway to gateway VPN router is pretty inexpensive.

-Tom

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
0 Helpful

Go to solution
socalrobg
Level 1
Level 1
In response to Tom Watts

‎08-06-2012 04:25 PM

Thanks Tom.  We'll give the split tunnel site to site VPN a try using just the Cisco router.

0 Helpful
Customers Also Viewed These Support Documents