02-27-2007 01:36 PM - edited 02-21-2020 02:53 PM
I would like to confirm that if my office only requires VPN access, NO internet browsing, then a VPN CON would be secure enough and I do not need any FW.
Please let me know if my understanding is correct.
Thanks
02-27-2007 03:28 PM
Warren,
You are correct - You would just need a VPN concentrator for VPN access.
FYI - Cisco VPN concentrators are End-of-life at the moment.
It would be a better idea just to get an ASA 5505 instead of the concentrator 3005.
Cheers
Gilbert
Rate this post, if it helps!
02-28-2007 08:44 AM
Hi Gilbert,
So what if the internal PC needs to access internet, what is the common way to deploy a PIX and a VPN CON?
l would think to put a PIX along side with VPN CON. But I think I read something like putting the VPN CON behind the PIX. I tried the latter but did not get it to work.
Could you please advise?
Thank
02-28-2007 09:20 AM
Hi,
Most of the time a concentrator and PIX are used in series -
Concentrator on a different segment (DMZ), of the PIX firewall.
So, the concentrator real IP will be an RFC 1918, but it will be NATted via the PIX firewall. One to One - NAT.
Once you have the one to one NAT configured, then you would need to allow the protocols like UDP 500, ESP & NAT-T to go through the firewall so that clients or remote devices can build IPSec sessions.
Or you can just use the PIX firewall to terminate VPN connections instead of the concentrator.
All decisions depend on cost, security, reliability, back-up scenarios, network architecture, etc..
Rate this topic, if it helps
Cheers
Gilbert
02-28-2007 09:30 AM
Are you aware of any document on this setup in Cisco site? If yes, could you please point it to me.
Thanks again.
02-28-2007 09:32 AM
Hi Gilbert,
BTW, I use VPN CON simply for its webVPN functionality, NOT IPsec.
02-28-2007 10:15 AM
Warren,
In the webvpn functionality, are using Citrix metraframe apps. If so, it is better to put the concentrator in parallel to the PIX.
Due to IP address getting NATted and the certificates used by Citrix, etc..
There is know document on the website as to how to configure the concentrator and PIX in different scenarios but there is an FAQ for VPN 3000 concentrator.
http://www.cisco.com/warp/public/471/vpn_3000_faq.shtml
Rate this post, if it helped!
Cheers
Gilbert
02-28-2007 10:31 AM
OK, as said before, l need to access the office using webVPN so l need VPN CON.
So if l configure the 2 devices in parallel as below, from the point of view of security, it should be OK.
internet IP --- PIX ------
internet Office
internet IP --- VPN CON --
Thanks again.
Warren
02-28-2007 10:33 AM
My previous illustration may be confusing....
internet --- internet IP --- PIX --- office
internet ---internet IP --- VPN CON -- office
02-28-2007 04:40 PM
Warren,
So you are placing the VPN concentrator and the PIX in parallel.
That should not be a problem. Make sure you have the concentrator outside HTTP access blocked for administrative access or just use IP specific access rules to allow HTTP admin access.
Cheers
gilbert
Rate this post!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide