Vpn – Difference between WAN and VPN(tunnels)

site-to-sitetunnelvpnwan

I got my CCENT and working on ICND2 to get my CCNA. I am stuck on this topic and am unable to grasp the context. WAN and VPN and how they differentiate. My understanding is we need WAN for "Physical" connectivity between different locations so we can connect our private LAN's in addition to go out to the internet. With just a WAN link, all we can do is just go out to the internet or if we have a routing protocol set up we can ping each routers public IP addresses.

Then with VPN we use that existing WAN setup to create a virtual network so that our private traffic generated from our LAN's can communicate and exchange info. For example a user in the local office is retrieving a file from a private server on the Corporate office, this action is not possible just with a WAN link and a VPN is needed. Am I getting it right? Is WAN alone just for public traffic and VPN allows private traffic over our public WAN. Basically what can I do with just a WAN link and what can I do with just A VPN and do we almost always need both working together. Thanks for your help!

Best Answer

Originally, WANs were mostly defined by specific layer 1/2 protocols (Frame Relay, HDLC, SONET, etc) that they used, but Ethernet has taken over, and the others are rapidly fading into history. The term "WAN" now generally describes a network that covers some larger geographical area than a LAN. Sounds vague? It is.

Some WANs, like the Internet are public, but others are private, supplied by service providers. A company, for example, may purchase a private WAN to connect their various offices. In that case, the company has exclusive use of the WAN.

VPNs are used when you need to make a "virtual" private connection over a non-private network. The Internet is the most common use (since Internet connectivity is usually cheaper than private WANs), but you can have VPNs connecting subgroups within a private WAN.

If you understand tunnels, then VPNs are just another type of tunnel. MPLS VPNs are private WANs built upon a service providers network. The service provider ensures that your endpoints never communicate with another entity's endpoints. IPsec VPNs use encryption to protect the data and to authenticate the endpoints.

Related Solutions

Cisco – Placement of firewall for VPN RA and L2L tunnels

Should the inside interface of the 5545 land first on the L2 edge switches and then trunk to the agg switches for better security or just have the inside drop straight into the Agg layer, also considering that private line traffic may come through yet another interface on the 5545 in the future

Since you did not say that the L2s would be running ACLs, I would not see a difference. I am guessing you will run tagging on the inside ASAs to the distribution layer. My firewalls connect directly to aggregation switches with a dedicated vlan that runs HSRP/VRRP between each set of firewalls and the agg switches.

As to private line traffic, I do not use ASA but I think they have the zones construct like IOS ZBF and you will keep VPN traffic from going to/from the private line traffic without going through packet filtering.

It sounds like default route points to the 5540 and you will use more specific routes to get to your internal VPN access pools and the private line addresses. The 5545 has the default route pointing to the 5540 and it is ok for VPN traffic to hit the internet directly (don't know if you split tunnel on your VPN clients) and other routes to your internal address space.

So I can not see any real problems with your plan. But some of my above assumptions may be wrong

Cisco – Policy Based Routing for VPN connections with VPN Client configuration

You can simply append the ACL "REDIRECT-VIA-FAST-WAN" to route IPSEC traffic out your "fast wan" interface.

ip access-list extended REDIRECT-VIA-FAST-WAN
deny   tcp host 10.10.0.43 eq 443 9675 192.168.5.0 0.0.0.255
permit tcp host 10.10.0.43 eq 443 9675 any
permit ahp any any
permit esp any any

Or if your router does not have the "ahp" and "esp" options for an extended ACL, you can simply add in the specific ports that the ipsec client tunnels over, namely UDP ports 500, 10000, and 4500, and also TCP 4500 for good measure.

ip access-list extended REDIRECT-VIA-FAST-WAN
deny   tcp host 10.10.0.43 eq 443 9675 192.168.5.0 0.0.0.255
permit tcp host 10.10.0.43 eq 443 9675 any
permit udp any any eq 500
permit udp any any eq 10000
permit udp any any eq 4500
permit tcp any any eq 4500

You may also have to append your "PERMIT-MNG" ACL to allow outbound IPSEC traffic (depending on what that ACL is configured to do) but you stripped it out of the running config so I can not fully comment on that.

Best Answer

Related Solutions

Cisco – Placement of firewall for VPN RA and L2L tunnels

Cisco – Policy Based Routing for VPN connections with VPN Client configuration

Related Topic