Migrating VPN and routing issue

Discussion in 'Cisco' started by cc0014401, Oct 31, 2003.

  1. cc0014401

    cc0014401 Guest

    I aplogize if this is not clear.

    I have two VPN devices each with external interfaces, one old, one new, The
    old one is currently in use and I want to transition VPN users (those with
    VPN clients) to the new VPN one at a time.

    My network guy says that we can not have VPN clients using seperate VPN
    devices on the same subnet because we only have one default route. Perhaps
    this is true but is there some way to work around this (beside creating
    custom routes for individual VPN client connections).

    Can the Router be configured so that all connections coming in from VPNA go
    back out through VPNA and all connections comming in from VPNB go back out
    VPNB? Here's a crude drawing:


    Internal Network
    |
    Router Router External Interface 166.161.252.1
    |
    Switch
    | | <----- 166.161.252. Subnet
    | |
    | VPNA
    VPNB | VPNA Internal Interface 166.161.251.101 Internal
    Interface 166.161.252.21
    | | VPNB External Interface 166.161.251.102
    Internal Interface 166.161.252.22
    INTERNET


    TIA,

    biru
     
    cc0014401, Oct 31, 2003
    #1
    1. Advertising

  2. In article <>, cc0014401 <biru> wrote:
    :Can the Router be configured so that all connections coming in from VPNA go
    :back out through VPNA and all connections comming in from VPNB go back out
    :VPNB? Here's a crude drawing:


    :Internal Network
    : |
    : Router Router External Interface 166.161.252.1
    : |
    : Switch
    : | | <----- 166.161.252. Subnet
    : | |
    : | VPNA
    : VPNB | VPNA Internal Interface 166.161.251.101 Internal
    :Interface 166.161.252.21
    : | | VPNB External Interface 166.161.251.102
    :Internal Interface 166.161.252.22
    : INTERNET

    Maybe -- it depends partly on what router and software it is. [You
    did not specify Cisco, and there's a tendancy for people to ask
    general networking questions here even if they don't have Cisco equipment.]

    The other thing it depends on is how the clients get their IP addresses.

    If there is an identifiable IP difference between the client addresses
    that go with VPNA and those that go with VPNB, and you are using
    an appropriate Cisco router that supports Policy Based Routing (PBR),
    then you should be able to do it. You would create an access list
    matching the client addresses for VPNA, and create a policy that
    referenced that ACL and which set 'next-hop' to VPNA, and you would
    apply that policy against the router outgoing interface.


    If there is no identifiable IP difference between the client addresses,
    then by the time the incoming packet gets past the router, it's
    original identity is going to be lost. Hypothetically, you could have
    the router look at the MAC addresses of the packets and apply different
    NAT depending on the source. I cannot, though, think of any Cisco
    router that would allow that kind of MAC address matching on an IP
    access list [unless perhaps you could hack 802.1x port authentication
    to do it.] MAC ACLs historically could only be applied when you
    were bridging. The 3750 "multilayer switch" just might be able to
    do the trick: the 2950 EI, 3550 EI, and 3750 EI series have
    port-level ACLs that do things that traditional IOS routers
    could not do. But I don't recall if the 3750 can do NAT.
    --
    I was very young in those days, but I was also rather dim.
    -- Christopher Priest
     
    Walter Roberson, Oct 31, 2003
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. GJP
    Replies:
    3
    Views:
    545
  2. OZ
    Replies:
    3
    Views:
    11,141
  3. steve

    Routing Issue VPN 3000

    steve, Jun 5, 2006, in forum: Cisco
    Replies:
    2
    Views:
    1,001
  4. Replies:
    0
    Views:
    355
  5. eostrike
    Replies:
    3
    Views:
    2,110
    eostrike
    Oct 24, 2008
Loading...

Share This Page