• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 317
  • Last Modified:

Running 3rd party App over VPN tunnel

Hi EE,

I have three 887 cisco routers, RA1, RB1 and RB2

Site A has RA1 and site B has RB1 and RB2

I have a third party Application (APP) that runs on 5 PCs at Site B (10.10.10.1-5) and they use a Server at site A (10.10.0.10) to complete their work using this APP.

I have created 2 VPN tunnels RA1 <->RB1 (Tunnel1) and RA1 <->RB2 (Tunnel2). The physical end points on RA1 is the same for both tunnels (dial0) Both subnets can reach each other and also the internet.

I want to isolate the traffic for APP (port XXXX) to go only via Tunnel2 between the 5PCs and server. All other traffic (http,https, ftp...internet traffic etc) should go via tunnel 1. The hosts on site B that use the APP also uses internet so internet traffic should go via tun1.

Any thoughts, ideas and pointers to right direction most appreciated. Thanks.
0
Daera
Asked:
Daera
  • 3
  • 3
  • 2
1 Solution
 
greg wardCommented:
0
 
kevinhsiehCommented:
+1 for policy based routing (PBR).
0
 
DaeraAuthor Commented:
deepdraw, thanks. PBR works well for RA1 but what I want to achieve also is for all 5 PCs to use RB2 when going to server. Both routers connect to the same subnet 10.10.10.0 with address of RB1 .111 and RB2 .112

Leaves me with:

-Use only one gateway for hosts. i.e .112. This means that I can then use PBR on RB2 to pass traffic to RA1 or route traffic to RB1 if not going to server.

-use two gateways

gateway 112 for traffic going to server and gateway 111 for traffic going to everything else. Any ideas on how to achieve this?
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
kevinhsiehCommented:
RB1 should be the default gateway for all machines at the remote site. RB1 would have PBR configured to send specific traffic to RB2, which would use normal routing to send it through tunnel 2.
0
 
DaeraAuthor Commented:
So what you are saying is that any traffic going to server will go 2 hops before it goes out tun2. i.e PC1 -> RB!->RB2 (tun2) -> RA1 -> server. I'm trying to avoid the two hops for the traffic as both routers are connected to the LAN. If there are no other solution then may have to use that.
0
 
kevinhsiehCommented:
Why are you worried about two hops on the LAN? That's an easy and low networking cost solution. It's not like I am sending you over an extra WAN hop. The only other solution would be to manually configure each PC with static routes to the remote server pointing to Rb2, and that works only if all traffic to that IP can go over tunnel 2. Configuring static routes on the workstations is a horrible plan IMHO with lots of drawbacks and will save less than 1 ms.
0
 
greg wardCommented:
PC1 -> RB1->RB2 (tun2) -> RA1 -> server
Is pc1 connected straight to the router or is there a switch in between, if so are both router plugged into the switch?
are both the routers connected?
do you want to set up the vpn EIGRP and use QOS instead?
0
 
DaeraAuthor Commented:
Both Rb1 and rb2 are plugged in to a switch and so as the PCs. Will implement pbr and that should do it as it is all gigabit speed anyway on the Lan side. There is no need for Eigrp vpn or QOS as IP traffic from PC to the server will all go through the tunnel as that is the destination so static routes are enough. Thanks.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now