Single Site with Internet and VPN: Network Design

In the last post, we discussed network design of single site with internet only. In this post, we will discuss network design of single site with internet and VPN. Let’s explore the two possible options:

Single Site with Internet and VPN: Option 1

The Internet Firewall can provide the additional functionality of VPN gateway (IPSEC/SSL Client to Site and IPSEC Site to Site) Notable is that while configuring Internet and VPN access for Inside and outside users respectively, the firewall should

For VPN –
Explicitly match source and destination IP for VPN traffic (Interesting traffic)

For Internet (NAT)-
Deny the source and destination subnets in NAT entry which were matched in VPN.

Single Site with Internet and VPN: Option 2

When we require a dedicated VPN gateway (IPSEC/SSL Client to Site and IPSEC Site to Site), the firewall would have 2 zones facing the VPN Gateway box, DMZ Zone and Inside1 Zone.

DMZ Zone – 
Public facing Zone on which the remote VPN User or VPN device will form VPN tunnel.

Inside1 Zone –
Zone facing inside for VPN traffic traversal to Secured inside network.

ABOUT THE AUTHOR

Rashmi Bhardwaj

Founder of AAR TECHNOSOLUTIONS, Rashmi is an evangelist for IT and technology. With more than 12 years in the IT ecosystem, she has been supporting multi domain functions across IT & consultancy services, in addition to Technical content making.

You can learn more about her on her linkedin profile – Rashmi Bhardwaj