Re: Dual VPN locations?

cphillips_utmg · ‎11-03-2005

I am a network engineer in a large medical practice. We have physicians that need access to two seperate network enviroments. Currently they have access to the universities resources using the Cisco IPsec Client. Is there a way to add security policy to the current client to allow the physicians to access our network if we adopt a Cisco VPN appliance? Our firewall is not Cisco.

thisisshanky · ‎11-03-2005

Are you trying to achieve redundancy, as far as (vpn to one location fails, add a backup site) ?

You can add a second connection in the ipsec client and have the doctors connect via that client, when they need to access your network. You cannot have two connections active at the same time.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

jackko · ‎11-03-2005

assuming you are referring the physicians to have 2 vpn connections at the same time, it's not feasible as the vpn client software doesn't support more than 1 active vpn at a time.

however, depends on what sort of device you've got, you can configure "hub-spoke" vpn. i.e. the physicians establish a vpn to net1 and then accessing net2 via net1.

cphillips_utmg · ‎11-04-2005

The physcians and business managers work under two different organizations. The two vpns are totally isolated from each other. One is a university where they are involved in the academic enviroment the other is group private practice. What Cisco appliance do you see that I should lean towards, our firewall is a Juniper. Thanks in advance - I appreciate all answers.

jackko · ‎11-04-2005

you may get a pix to run lan-lan vpn to those two different locations.

ezvpn may not be feasible as one unit can't act as 2 different ezvpn clients.

cphillips_utmg · ‎11-04-2005

The need is as a pc client. The phycians work from multiple clinics, home, and while traveling at hotels. I do have "branch office" tunnels between hospitals but this need is outside the campus and into the world.

jackko · ‎11-04-2005

as mentioned the vpn client software is not capable to establish and maintain more than one vpn at a time, i guess the only way is to create a hub.

let say you deploy a hub (i.e. the vpn server) for remote vpn user. this hub itself would have other lan-lan vpn tunnels. thus the remote vpn user can access those resources via the hub.

e.g.

remote vpn user <--> www/vpn <--> your office...

...

your office <--> www/vpn <--> other sites

to choose the device as a hub, you may use pix v7, asa, router with firewall feature set, or a vpn concentrator.

cphillips_utmg · ‎11-04-2005

Sorry I didn't clarify.

The user will only be attaching in an either or not a both situation at the same time.

cphillips_utmg · ‎11-04-2005

Sorry - I hadn't clarified this.

The user will only be connecting to one at a time.

This is an either or not both at the same time need.

Richard Burts · ‎11-04-2005

Calvin

I have not fully digested this thread. But if I understand correctly you have physicians who currently use VPN client software to access one network environment. And you want to add the capability for them to access a different network environment. The access would be either/or (connect to the University or connect to the Practice) but not both at the same time.

That should be easy to do. The VPN client has the ability to configure different destinations and the user can choose which one he wants to connect to when the connection is established.

There are several hardware platforms that could be used for this. As I understand your environment I would probably recommend something in the Cisco 3000 line of VPN concentrators. It could be done on a PIX, but since you already have a firewall I would think the PIX would be not the optimum choice for you. It could also be done on a router, but I would suggest for you a platform that is dedicated to this function.

HTH

Rick

HTH

Rick

cphillips_utmg · ‎11-04-2005

You have the picture correct.

Now - Which 3000 can handle my 200-300 online users, the total user base would be about double that.

Thanks!

jackko · ‎11-04-2005

please excuse me for misunderstanding.

according to cisco, concentrator 3005 supports remote vpn user up to 200; the 3020 supports remote vpn user up to 750.

for more details:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/prod_models_comparison.html

with the vpn client software, you can create and import multiple profiles (i.e. *.pcf), which would establish remote vpn tunnel to different locations.

also you mentioned you've got a juniper firewall in place, you may deploy the concentrator at the dmz and perform 1-to-1 nat on the juniper firewall. an inbound acl is required in permitting the following:

udp 500

udp 4500

ip 50

Richard Burts · ‎11-05-2005

Calvin

If you have 200 to 300 online users and total user base is double that I believe that the 3005 is too limited for you. I believe that the 3020 would be a better fit. Cisco claims it supports up to 750 IPSec client sessions. If you thought that demand might increase you might consider the 3030 which Cisco claims supports up to 1500 IPSec client sessions.

HTH

Rick

HTH

Rick