VPN CON 3005

Unanswered Question
Feb 27th, 2007

I would like to confirm that if my office only requires VPN access, NO internet browsing, then a VPN CON would be secure enough and I do not need any FW.

Please let me know if my understanding is correct.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
ggilbert Tue, 02/27/2007 - 15:28


You are correct - You would just need a VPN concentrator for VPN access.

FYI - Cisco VPN concentrators are End-of-life at the moment.

It would be a better idea just to get an ASA 5505 instead of the concentrator 3005.



Rate this post, if it helps!

warren-chan Wed, 02/28/2007 - 08:44

Hi Gilbert,

So what if the internal PC needs to access internet, what is the common way to deploy a PIX and a VPN CON?

l would think to put a PIX along side with VPN CON. But I think I read something like putting the VPN CON behind the PIX. I tried the latter but did not get it to work.

Could you please advise?


ggilbert Wed, 02/28/2007 - 09:20


Most of the time a concentrator and PIX are used in series -

Concentrator on a different segment (DMZ), of the PIX firewall.

So, the concentrator real IP will be an RFC 1918, but it will be NATted via the PIX firewall. One to One - NAT.

Once you have the one to one NAT configured, then you would need to allow the protocols like UDP 500, ESP & NAT-T to go through the firewall so that clients or remote devices can build IPSec sessions.

Or you can just use the PIX firewall to terminate VPN connections instead of the concentrator.

All decisions depend on cost, security, reliability, back-up scenarios, network architecture, etc..

Rate this topic, if it helps



warren-chan Wed, 02/28/2007 - 09:30

Are you aware of any document on this setup in Cisco site? If yes, could you please point it to me.

Thanks again.

warren-chan Wed, 02/28/2007 - 09:32

Hi Gilbert,

BTW, I use VPN CON simply for its webVPN functionality, NOT IPsec.

ggilbert Wed, 02/28/2007 - 10:15


In the webvpn functionality, are using Citrix metraframe apps. If so, it is better to put the concentrator in parallel to the PIX.

Due to IP address getting NATted and the certificates used by Citrix, etc..

There is know document on the website as to how to configure the concentrator and PIX in different scenarios but there is an FAQ for VPN 3000 concentrator.


Rate this post, if it helped!



warren-chan Wed, 02/28/2007 - 10:31

OK, as said before, l need to access the office using webVPN so l need VPN CON.

So if l configure the 2 devices in parallel as below, from the point of view of security, it should be OK.

internet IP --- PIX ------

internet Office

internet IP --- VPN CON --

Thanks again.


warren-chan Wed, 02/28/2007 - 10:33

My previous illustration may be confusing....

internet --- internet IP --- PIX --- office

internet ---internet IP --- VPN CON -- office

ggilbert Wed, 02/28/2007 - 16:40


So you are placing the VPN concentrator and the PIX in parallel.

That should not be a problem. Make sure you have the concentrator outside HTTP access blocked for administrative access or just use IP specific access rules to allow HTTP admin access.



Rate this post!!


This Discussion