Solved

Put server behind Cisco ISR for public and VPN

Posted on 2011-03-10
2
341 Views
Last Modified: 2012-05-11
I want to put four Windows Server 2008 boxes behind a Cisco ISR at our colocation center. These servers needs to connect with full access over VPN to our locations using the router and they also needs to serve specific ports over public IPs. I originally had intended on using the two LAN adapters in each server, one for the private access and one for the public access but I forgot that you cannot have two gateways setup on the OS.

I'm guessing I need to use their public IPs, with 1 LAN adapter each connected to the router. Then create a VPN connection from the location to the colocation router, connecting to those public IPs instead of private IPs. But I want to make sure that private information doesn't leak out and only traverses the VPN (or within the EHWIC switch on the router) and never exits over the GE0/0. I could use ACLs to do this, but I'm just checking if I'm going in the right direction or if I should do something else, or if my original idea would work somehow.

How should I go about setting this up properly? I attached a diagram of my original idea.


config.png
0
Comment
Question by:_valkyrie_
2 Comments
 
LVL 18

Accepted Solution

by:
jmeggers earned 500 total points
ID: 35102539
I suspect this doesn't really answer your question, but from a networking perspective, the traffic will flow.  This is done all the time with servers in a DMZ and allowing access from VPN clients.  I don't see much point in trying to dual-home the servers on two different VLANs, I don't think it buys you much.  

But that's not going to solve what is really a DLP issue.  Not everyone may agree, but my take is if you're concerned about data leakage, try to keep the private data off publicly accessible servers, at least as much as possible.  If the VPN users need to get to different data than you want to allow via public access, treat them differently ad use AAA to control access where you need to.

0
 
LVL 2

Author Closing Comment

by:_valkyrie_
ID: 35113125
I'm not going with the dual LAN idea. I switched it to a bridged interface on our router and will be using ACLs to keep data from flowing in the wrong direction.
0

Featured Post

Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
A procedure for exporting installed hotfix details of remote computers using powershell
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now