Solved

Put server behind Cisco ISR for public and VPN

Posted on 2011-03-10
2
342 Views
Last Modified: 2012-05-11
I want to put four Windows Server 2008 boxes behind a Cisco ISR at our colocation center. These servers needs to connect with full access over VPN to our locations using the router and they also needs to serve specific ports over public IPs. I originally had intended on using the two LAN adapters in each server, one for the private access and one for the public access but I forgot that you cannot have two gateways setup on the OS.

I'm guessing I need to use their public IPs, with 1 LAN adapter each connected to the router. Then create a VPN connection from the location to the colocation router, connecting to those public IPs instead of private IPs. But I want to make sure that private information doesn't leak out and only traverses the VPN (or within the EHWIC switch on the router) and never exits over the GE0/0. I could use ACLs to do this, but I'm just checking if I'm going in the right direction or if I should do something else, or if my original idea would work somehow.

How should I go about setting this up properly? I attached a diagram of my original idea.


config.png
0
Comment
Question by:_valkyrie_
2 Comments
 
LVL 18

Accepted Solution

by:
jmeggers earned 500 total points
ID: 35102539
I suspect this doesn't really answer your question, but from a networking perspective, the traffic will flow.  This is done all the time with servers in a DMZ and allowing access from VPN clients.  I don't see much point in trying to dual-home the servers on two different VLANs, I don't think it buys you much.  

But that's not going to solve what is really a DLP issue.  Not everyone may agree, but my take is if you're concerned about data leakage, try to keep the private data off publicly accessible servers, at least as much as possible.  If the VPN users need to get to different data than you want to allow via public access, treat them differently ad use AAA to control access where you need to.

0
 
LVL 2

Author Closing Comment

by:_valkyrie_
ID: 35113125
I'm not going with the dual LAN idea. I switched it to a bridged interface on our router and will be using ACLs to keep data from flowing in the wrong direction.
0

Featured Post

Being driven mad by email signature updates?

Having to make a change to your users’ email signatures, yet again? Feel like your head is going to explode? Rely on an Exclaimer email signature management solution to make the process simple!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Static route question 6 34
Determine if SQL is installed in Server 2008 R2 4 53
Hyper V cluster 2 31
OpenVPN Access Server in EC2 Connectivity Issues 1 29
Let’s list some of the technologies that enable smooth teleworking. 
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now