«

I aplogize if this is not clear.

I have two VPN devices each with external interfaces, one old, one new, The
old one is currently in use and I want to transition VPN users (those with
VPN clients) to the new VPN one at a time.

My network guy says that we can not have VPN clients using seperate VPN
devices on the same subnet because we only have one default route. Perhaps
this is true but is there some way to work around this (beside creating
custom routes for individual VPN client connections).

Can the Router be configured so that all connections coming in from VPNA go
back out through VPNA and all connections comming in from VPNB go back out
VPNB? Here's a crude drawing:


Internal Network
|
Router Router External Interface 166.161.252.1
|
Switch
| | <----- 166.161.252. Subnet
| |
| VPNA
VPNB | VPNA Internal Interface 166.161.251.101 Internal
Interface 166.161.252.21
| | VPNB External Interface 166.161.251.102
Internal Interface 166.161.252.22
INTERNET


TIA,

biru

In article <CoCdnTu7aesUfT-iRVn->, cc0014401 <biru> wrote:
:Can the Router be configured so that all connections coming in from VPNA go
:back out through VPNA and all connections comming in from VPNB go back out
:VPNB? Here's a crude drawing:


:Internal Network
: |
: Router Router External Interface 166.161.252.1
: |
: Switch
: | | <----- 166.161.252. Subnet
: | |
: | VPNA
: VPNB | VPNA Internal Interface 166.161.251.101 Internal
:Interface 166.161.252.21
: | | VPNB External Interface 166.161.251.102
:Internal Interface 166.161.252.22
: INTERNET

Maybe -- it depends partly on what router and software it is. [You
did not specify Cisco, and there's a tendancy for people to ask
general networking questions here even if they don't have Cisco equipment.]

The other thing it depends on is how the clients get their IP addresses.

If there is an identifiable IP difference between the client addresses
that go with VPNA and those that go with VPNB, and you are using
an appropriate Cisco router that supports Policy Based Routing (PBR),
then you should be able to do it. You would create an access list
matching the client addresses for VPNA, and create a policy that
referenced that ACL and which set 'next-hop' to VPNA, and you would
apply that policy against the router outgoing interface.


If there is no identifiable IP difference between the client addresses,
then by the time the incoming packet gets past the router, it's
original identity is going to be lost. Hypothetically, you could have
the router look at the MAC addresses of the packets and apply different
NAT depending on the source. I cannot, though, think of any Cisco
router that would allow that kind of MAC address matching on an IP
access list [unless perhaps you could hack 802.1x port authentication
to do it.] MAC ACLs historically could only be applied when you
were bridging. The 3750 "multilayer switch" just might be able to
do the trick: the 2950 EI, 3550 EI, and 3750 EI series have
port-level ACLs that do things that traditional IOS routers
could not do. But I don't recall if the 3750 can do NAT.
--
I was very young in those days, but I was also rather dim.
-- Christopher Priest