Options for deploying VPN endpoint inside another network

Associate
Joined
14 Apr 2008
Posts
1,230
Location
Manchester
I've been puzzling over this for a little while and i wanted an opinion, we often deploy physically separate networks for our clients - a lot of the time their office IT does not have the infrastructure and support to ensure the reliability of our service - there are also political issues in some places, some of our setups have wireless link systems and not everyone is happy about that.

Regardless of how it happens, it happens - that isn't going to change any time soon - network's and IT in general isn't our core business so we're not interested in having to look after the rest of someone else's network outside of the stuff we've put in to manage and transport the data in our system.

What we'd like to do is place a router between the client's main office LAN and our network so that we can VPN to the router via their internet connection and do remote support. The problem i've now encountered is that IPSEC doesn't like NAT very much and it seems that SSL vpns get expensive quickly - we'd only need a single user system.

The original plan was to use something like a Cisco 851 but we're open to suggestions so long as it doesn't become such a large part of the hardware cost.
 
Where we can get co-operation we're doing VPN terminating at the client's WAN point - this works fine with some of our bigger client (it's just political then). I've been digging into NAT-T, seems we'd need a Cisco 871 w/Advanced Sec/IP which i've spotted for around £350 which is a pretty decent sort of cost.

I think we'll get one of those and have a play - how well does NAT-T work? If the router the client has establishes an outbound connection back to our office would we need any ports forwarding from the client's WAN router?

Alternatively, what kind of cost/device would we need to do SSL VPNs - they're much less of a headache!
 
i've only used nat-t once before, that was for an aruba wireless controller providing 'remote-ap' which we were hosting behind a juniper firewall. seems to do the job. that was inbound connections only, so i can't really answer your question about outbound connections. i think the nat-t is mostly used for the initial security association though so i can't see it working differently regardless of the direction of the connection.

the only ssl vpn stuff i have used is sonicwall aventail, i manage a cluster of them, with a user count of 500. since you only need single user type solutions, and you seem to be leaning towards a cisco solution, don't the baby asa devices come with 2x ssl connections enabled by default?
 
Yes, the ASA 5505 has 2 SSL users allowed on the base version - that's a viable option (as it's about the same price as the 871), we'll have to check it's other shortcomings and decide if it'll be suitable.

Do you know if the Cisco SSL implementation is compatible with anything else? We'd consider keeping the links permanently up to do remote monitoring and at least with the IPSEC there is the option of routing it all through something like OpenSWAN (not ideal, but the option is there)

We're not fussed if it's Cisco or not, but at least one of our clients has mandated it and we'd like to settle on a standard solution - easier to support in the long run.
 
don't think so, i think the ssl side of things will be client-server rather than lan-lan. dependant upon the presentation of the internet connection, you could always site your device at the perimeter alongside theirs, and then connect the inside interface to your network?

edit: you mention a lot of politics involved, you wouldn't happen to work with public sector organisations would you?!
 
Our smaller clients usually only have an ADSL connection so siting ours with theres probably isn't an option there - i think IPSEC is probably the route to go - the ASA at least does both so we could get one and have a play see if it'll work how we like.

Most of our work is with commercial ports - we do radar systems, the problem we have that some IT people don't seem to understand the 'Mission Critical' aspect to having a navigation system within a port and just because the system wasn't designed/ordered/implemented through the IT dept they can be a bit funny about co-operating.

Most of our clients are really good though, highly co-operative, we're just trying to standardise on our solutions a bit so they'll translate well between small, large, easy and difficult clients.
 
i reckon looking at the nat-t option would be the best bet, then either terminate the tunnel on a router running the correct firmware, or an asa. alternatively, take a look at the juniper kit, i work with that pretty exclusively, and i like it. dead easy to work with! :)
 
As another option, have you considered just stumping up for a basic ADSL line to give you seperate management of the solution, saves messing with the clients network and makes your access totally independent. Quite a few ISPs do this for CPE management (hell, BT use ISDN connections to manage LES circuits) so it's well regarded as an option. Might be cheaper than shelling out for a firewall per site...
 
A seperate line is going to work out either about the same or more expensive - £120 to BT to install, £12/month line rental then even the most basic service is at £10-15/month

A suitable router (we've now identified) is the Cisco 871 with Adv Sec at around £350 one off. The good part about that is if the client chooses not to renew their service contract we can remove the remote support equipment and deploy it again elsewhere.

It really varies from client to client what they have available - one we're doing soon is prepared (and has the expertise to) to give us a public IP for our router without any hassles. Some have full on leased line connectivity, some have only have a basic ADSL connection, it's rarely practical to have another line installed - especially when they're inside a secure site with their own phone systems.
 
Last edited:
Well I assume you're going to pass any costs on, and a lot of businesses would consider something billed monthly as preferable to an up-front cost (depending on how the client is paying). But if it doesn't work for you it doesn't, just saying a lot of companies do it rather than mess about with clients who may or may not know what they're doing...
 
Well it's not my place to decide company policy and price structure!

Point taken though, we normally charge yearly for maintenance contracts as that's typically the cycle the site maintenance visits operate in.

Although all the costs would be passed on, it's no good if the price is going to double or triple. If we did have dedicated lines installed, we'd still have to buy a router anyway - while it may be a cheaper router there's a much bigger overhead to manage, plus the difficulty of ending the service when the client chooses not to renew their maintenance contract.
 
Back
Top Bottom