I have a network wherein seven different offices are connecting to our main office through frame relay lines. It's sort of an internal network, not publicly accessible. Each of our offices also has a high speed DSL line for Internet access. We want to eliminate the frame relay lines and instead use DSL lines for VPN access. I understand that I can use a Cisco 1760 router with a static IP at my head office. Each group company has multiple clients that access our server. So VPN clients will be installed on each client machine. What is the additional infrastructure required at each group office to connect to our router apart from the VPN client? Please let me know the details I should look into and whether the above scenario can be set up without too much investment.
The scenario you describe sounds like a fairly typical IPsec remote access VPN. The Cisco 1760 will serve as the VPN's gateway, using DSL to obtain access to the Internet. Every remote host that needs to access your main office network will require Cisco VPN client software and some kind of Internet access. You will need to configure policies on your Cisco 1760 to permit access by those clients, including user credentials to authenticate each client, and IPsec selectors that determine which hosts/subnets each client is permitted to access inside your main office network.
Another option would be to install VPN hardware at every remote office and set up a site-to-site VPN that connects those 7 remote offices to your main office. Each host would not need its own VPN client software or user credentials, because all clients at each remote office would share the 7 tunnels between remote and main VPN gateways. This makes more sense if you want to let EVERYONE at each remote office have the SAME access to your main office network. However, if you want to permit only a few clients, or need to vary permission for individual users, then a remote access VPN is more appropriate.
For a remote access VPN with the hardware that you describe, each remote office will require Internet access. NAT Traversal in your Cisco 1760 and VPN Client software will let IPsec traffic be forwarded through remote office router/firewalls, no matter what they might be. However, the router/firewall at every remote office must be configured to permit bi-directional traffic on ports used by your VPN.
You will need to work with each remote office to install appropriately-configured Cisco VPN Client software on every remote host, to identify the username/password for each authorized user, and to train users about how and when to launch VPN clients.
On your Cisco 1760, you will probably decide to use Extended Authentication (XAUTH) and a policy that defines a preshared secret used by everyone in that group. You can authenticate users locally or use an ACS server for user authentication. To learn more about Cisco IOS IPsec configuration, see this Cisco white paper on IPsec deployment, particularly the section on "Cisco Easy VPN."
I am not sure from your description whether all 7 "group companies" should have access to the same resources at your main office, and whether those companies can access each other's networks using Frame Relay as a "hub and spoke" private network. You'll want to consider these questions when designing your VPN policies so that you can configure filters to enforce per-company restrictions.
Dig Deeper on Branch office network design
Related Q&A from Lisa Phifer
As the remote workforce increases, network managers and users might opt to set up two concurrent VPN connections from the same remote device. But ... Continue Reading
Is there a difference between a wireless access point vs. a router? Yes -- while the two wireless devices are related, they meet different needs in a... Continue Reading
Learn the differences between site-to-site VPNs vs. remote-access VPNs and find out about the protocols, benefits and the data security methods used ... Continue Reading