2-arm VPN router behind Socket

Question

I have a Cisco router from a 3rd party provider that provides access to that 3rd party providers networks. Thie router uses a 2-arm configuration with WAN and LAN interfaces. The WAN cannot be a public routed IP, it must be a private IP.

The router's existing deployment has the WAN interface connected to a DMZ zone off our legacy firewall, which uses a subnet of 192.168.1.0/24 and the router's LAN interface is connected to a trusted LAN subnet of 172.29.1.0/24. The firewall does not have any inbound ports open to the VPN router's WAN interface, as the router is configured to outbound initiate the VPN tunnel.

I need to move this router to sit behind the socket so I can remove the legacy firewall from our network. What would be the best way to set this up? Note that VLAN's are terminated to a L3 switch at this location, and I am not looking to move them to the socket at this time. I would also prefer to not have the 192.168.1.0/24 subnet advertised to the entire Cato network (especially ZTNA clients).

michaelsaw · Answer

Hi&nbsp;Evan,
Would you be able to share/upload a simple network diagram on this?Would you also share Cisco router model you mentioned?
Cheers

Forum Discussion

2-arm VPN router behind Socket

1 Reply

Recent Discussions

Block/prompt based on risk rating

CATO Socket port flapping with certain Spectrum modems

ARM version?

Cato Connect Event: AMA with Professional Services - February/March 2026

Application File Name Upload