[c-nsp] can a VPN3000 do this?

[Olav Langeland]

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Adam Greene
> Sent: 18. juli 2006 21.43
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] can a VPN3000 do this?
> 
> Hi,
> 
> We have two sets of customers who need access to a server on our
> network.
> One set (set A) will access the server via a VPN. The other set (set
> B) will
> access it directly (no VPN).
> 
> My question is this: can I position a VPN3000 concentrator somewhere
> on the
> network, in such a way that customer set A does not need to pass
> through it
> to connect to the server, but customer set B does? i.e. the server
> would not
> be directly "behind" the VPN3000. Customer set A would bypass the
> VPN3000
> entirely. Customer set B, on the other hand, would establish a session
> to
> the VPN3000 and then tunnel through to the server.
> 
> I haven't configured a VPN3000 before, so I'm not sure if this kind of
> setup
> is possible.
> 
> Thanks for your advice,
> Adam

Hi,

this can be done. Traffic from Customer B to the server will only go
through the VPN3000 when the VPN tunnel is active, a route is added that
sends the traffic through the VPN tunnel instead of open internet. 

A good tip (if you don't already have) is to draw a overview of the
network that is involved with all devices and interfaces. If the
solution includes a site-to-site tunnel with Client B, draw his network
as well. Pay extra attention to where you place the 2 VPN3000
interfaces, you  want ACL on the incoming traffic from VPN customers..

-olav