VPN Configuration

[joelrob]

I've inherited the following situation from the Network Admin that left recently. A VPN solution is to be put in place to replace the IPSec VPN currently going to a Windows 2k3 server.

Network setup is:

Internet > Cisco 2811 > NetScreen25 > Cisco 1720 > Network Servers

The departed Admin purchased a security card for the Cisco 2811 to use it as the VPN server, but my question is whether or not that's even possible, since the 2811 sits outside the NetScreen firewall. Currently the VPN clients are going all the way in to one of the Network Servers and authenticating there. Authenticating at the 2811 isn't going to give them LAN visibility without opening up a bunch of stuff on the firewall, correct? Or am I missing something?

 

[geo2500]

The netscreen is not capable of terminating VPN connections?
We have a pix firewall instead of the netscreen25 and we terminate the connections there.
For the clients to get LAN visibility you should give them an internal ip address, internal dns and then open the firewall for the internal IPs you want to allow them to access.

 

[joelrob]

Yes, the NetScreen does support VPN connections, but Juniper charges for the VPN client, whereas Cisco includes it with the router we currently have. My suggestion has been to go ahead and purchase the NetScreen-Remote VPN client, but was asked to find out whether or not the Cisco 2811 could be used for VPN termination. I just don't see any way to do that without then opening a tunnel from the Cisco to the NetScreen for the VPN clients.