Put server behind Cisco ISR for public and VPN

I want to put four Windows Server 2008 boxes behind a Cisco ISR at our colocation center. These servers needs to connect with full access over VPN to our locations using the router and they also needs to serve specific ports over public IPs. I originally had intended on using the two LAN adapters in each server, one for the private access and one for the public access but I forgot that you cannot have two gateways setup on the OS.

I'm guessing I need to use their public IPs, with 1 LAN adapter each connected to the router. Then create a VPN connection from the location to the colocation router, connecting to those public IPs instead of private IPs. But I want to make sure that private information doesn't leak out and only traverses the VPN (or within the EHWIC switch on the router) and never exits over the GE0/0. I could use ACLs to do this, but I'm just checking if I'm going in the right direction or if I should do something else, or if my original idea would work somehow.

How should I go about setting this up properly? I attached a diagram of my original idea.


config.png
LVL 2
_valkyrie_Asked:
Who is Participating?
 
John MeggersConnect With a Mentor Network ArchitectCommented:
I suspect this doesn't really answer your question, but from a networking perspective, the traffic will flow.  This is done all the time with servers in a DMZ and allowing access from VPN clients.  I don't see much point in trying to dual-home the servers on two different VLANs, I don't think it buys you much.  

But that's not going to solve what is really a DLP issue.  Not everyone may agree, but my take is if you're concerned about data leakage, try to keep the private data off publicly accessible servers, at least as much as possible.  If the VPN users need to get to different data than you want to allow via public access, treat them differently ad use AAA to control access where you need to.

0
 
_valkyrie_Author Commented:
I'm not going with the dual LAN idea. I switched it to a bridged interface on our router and will be using ACLs to keep data from flowing in the wrong direction.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.