?
Solved

Put server behind Cisco ISR for public and VPN

Posted on 2011-03-10
2
Medium Priority
?
353 Views
Last Modified: 2012-05-11
I want to put four Windows Server 2008 boxes behind a Cisco ISR at our colocation center. These servers needs to connect with full access over VPN to our locations using the router and they also needs to serve specific ports over public IPs. I originally had intended on using the two LAN adapters in each server, one for the private access and one for the public access but I forgot that you cannot have two gateways setup on the OS.

I'm guessing I need to use their public IPs, with 1 LAN adapter each connected to the router. Then create a VPN connection from the location to the colocation router, connecting to those public IPs instead of private IPs. But I want to make sure that private information doesn't leak out and only traverses the VPN (or within the EHWIC switch on the router) and never exits over the GE0/0. I could use ACLs to do this, but I'm just checking if I'm going in the right direction or if I should do something else, or if my original idea would work somehow.

How should I go about setting this up properly? I attached a diagram of my original idea.


config.png
0
Comment
Question by:_valkyrie_
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 18

Accepted Solution

by:
jmeggers earned 1500 total points
ID: 35102539
I suspect this doesn't really answer your question, but from a networking perspective, the traffic will flow.  This is done all the time with servers in a DMZ and allowing access from VPN clients.  I don't see much point in trying to dual-home the servers on two different VLANs, I don't think it buys you much.  

But that's not going to solve what is really a DLP issue.  Not everyone may agree, but my take is if you're concerned about data leakage, try to keep the private data off publicly accessible servers, at least as much as possible.  If the VPN users need to get to different data than you want to allow via public access, treat them differently ad use AAA to control access where you need to.

0
 
LVL 2

Author Closing Comment

by:_valkyrie_
ID: 35113125
I'm not going with the dual LAN idea. I switched it to a bridged interface on our router and will be using ACLs to keep data from flowing in the wrong direction.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question