Hi,
I have a central office network with two Cisco 1760 routers: the central router that interconnects corporate sites spread over a city and an Internet router that NATs central office network for Internet access. Also there are several GRE/IPSec VPN tunnels to brunch offices located in other cities that are terminated on Internet Cisco router. These two routers are connected via IP link network with /30 netmask and this network belongs to corporate network address space.
Now I’m going to setup MS ISA Firewall between Central router and Internet Router to provide some king of Web content filtering and user authentication and accounting. The fact is that traffic originated from brunch offices networks that comes from Internet cisco router to outside (“red”) interface of ISA Firewall treated as dangerous Internet traffic by ISA and therefore blocked.
Now I think that it was not very good idea to terminate VPN tunnels on Internet router and they should be terminated on central router instead. It will make Intranet router more simple and reasonable.
So I have one question that concerns network desing:
Is it a right decision to terminate my VPNs on central router?
and one practical question:
Is there any way to terminate VPNs on Central router?