Client and Network Extension Modes
Client and
Network Extension Modes
The Cisco VPN 3002 supports two modes of operation to offer
implementation choices based on flexibility, security, and easy configuration.
Those modes are
-
Client mode
-
Network Extension mode
A large VPN implementation might frequently have both types of
operation.
Client Mode
In Client mode, the VPN 3002 emulates
the VPN client software appearing to the main network like a remote user. The
private hosts protected behind the VPN 3002 are a separate network that remains
invisible and nonroutable to the central site. The local hosts are assigned
their IP addresses from the VPN 3002 Dynamic Host Control Protocol (DHCP) server
feature, while the public port can use the VPN 3002 DHCP client feature to
acquire its IP address from an ISP. From a cost and address preservation
standpoint, it would make sense for the local IP addresses to be private IP
addresses.
To help secure the local network and to allow local hosts to
travel out of the network in Client mode, the VPN 3002 uses Port Address
Translation (PAT). Because all traffic to the central network will have the
public interface IP address, PAT supplies and manages unique port number
mappings to be used in combination with the IP address.
Split tunneling is a useful feature that
provides the capability to have a secure tunnel to the central site, while
simultaneously maintaining a clear text tunnel to the Internet through the ISP.
The VPN 3002 uses PAT to protect the local workstations during split tunneling
to the Internet. If the organization security policy prohibits split tunneling,
it can be blocked by creating a policy on the central site device, which is then
pushed down to the 3002 Client.
The VPN 3002 Client can only create outbound connections, so
no way exists for an outside source to initiate a connection with the VPN 3002
or through it to the stations behind.
Network Extension mode
In Network Extension mode, the VPN
3002 establishes a secure site-to-site connection with the central site device.
The local stations behind the VPN 3002 are fully routable and the local network
is visible to the central site. As the name implies, the local network becomes
part of the organization’s intranet. VPN and 3002 configuration and security
policies are pushed from the central site.
In Network Extension mode, the private addresses are assigned
manually and permanently, allowing central site host and applications to
reliably reach any local server, printer, POS terminal, IP phone, or other
device critical to the business.
PAT provides security for local host traffic heading to the
Internet through split tunneling. This outbound PAT on the VPN 3002 provides
centralized security control because no configuration parameters exist for local
users to adjust, which could possibly cause the central site to be
compromised.
594 times read
|
|
|
Did you enjoy this article?
(total 0 votes)
|
Sections
Comments (0 posted)
Syndication
