Options for deploying VPN endpoint inside another network

[dave-lew99]

I've been puzzling over this for a little while and i wanted an opinion, we often deploy physically separate networks for our clients - a lot of the time their office IT does not have the infrastructure and support to ensure the reliability of our service - there are also political issues in some places, some of our setups have wireless link systems and not everyone is happy about that.

Regardless of how it happens, it happens - that isn't going to change any time soon - network's and IT in general isn't our core business so we're not interested in having to look after the rest of someone else's network outside of the stuff we've put in to manage and transport the data in our system.

What we'd like to do is place a router between the client's main office LAN and our network so that we can VPN to the router via their internet connection and do remote support. The problem i've now encountered is that IPSEC doesn't like NAT very much and it seems that SSL vpns get expensive quickly - we'd only need a single user system.

The original plan was to use something like a Cisco 851 but we're open to suggestions so long as it doesn't become such a large part of the hardware cost.

 

[dave-lew99]

Where we can get co-operation we're doing VPN terminating at the client's WAN point - this works fine with some of our bigger client (it's just political then). I've been digging into NAT-T, seems we'd need a Cisco 871 w/Advanced Sec/IP which i've spotted for around £350 which is a pretty decent sort of cost.

I think we'll get one of those and have a play - how well does NAT-T work? If the router the client has establishes an outbound connection back to our office would we need any ports forwarding from the client's WAN router?

Alternatively, what kind of cost/device would we need to do SSL VPNs - they're much less of a headache!

 

[dave-lew99]

Yes, the ASA 5505 has 2 SSL users allowed on the base version - that's a viable option (as it's about the same price as the 871), we'll have to check it's other shortcomings and decide if it'll be suitable.

Do you know if the Cisco SSL implementation is compatible with anything else? We'd consider keeping the links permanently up to do remote monitoring and at least with the IPSEC there is the option of routing it all through something like OpenSWAN (not ideal, but the option is there)

We're not fussed if it's Cisco or not, but at least one of our clients has mandated it and we'd like to settle on a standard solution - easier to support in the long run.

 

[dave-lew99]

Our smaller clients usually only have an ADSL connection so siting ours with theres probably isn't an option there - i think IPSEC is probably the route to go - the ASA at least does both so we could get one and have a play see if it'll work how we like.

Most of our work is with commercial ports - we do radar systems, the problem we have that some IT people don't seem to understand the 'Mission Critical' aspect to having a navigation system within a port and just because the system wasn't designed/ordered/implemented through the IT dept they can be a bit funny about co-operating.

Most of our clients are really good though, highly co-operative, we're just trying to standardise on our solutions a bit so they'll translate well between small, large, easy and difficult clients.

 

[dave-lew99]

A seperate line is going to work out either about the same or more expensive - £120 to BT to install, £12/month line rental then even the most basic service is at £10-15/month

A suitable router (we've now identified) is the Cisco 871 with Adv Sec at around £350 one off. The good part about that is if the client chooses not to renew their service contract we can remove the remote support equipment and deploy it again elsewhere.

It really varies from client to client what they have available - one we're doing soon is prepared (and has the expertise to) to give us a public IP for our router without any hassles. Some have full on leased line connectivity, some have only have a basic ADSL connection, it's rarely practical to have another line installed - especially when they're inside a secure site with their own phone systems.

 

[dave-lew99]

Well it's not my place to decide company policy and price structure!

Point taken though, we normally charge yearly for maintenance contracts as that's typically the cycle the site maintenance visits operate in.

Although all the costs would be passed on, it's no good if the price is going to double or triple. If we did have dedicated lines installed, we'd still have to buy a router anyway - while it may be a cheaper router there's a much bigger overhead to manage, plus the difficulty of ending the service when the client chooses not to renew their maintenance contract.