VPN CON 3005

warren-chan · ‎02-27-2007

I would like to confirm that if my office only requires VPN access, NO internet browsing, then a VPN CON would be secure enough and I do not need any FW.

Please let me know if my understanding is correct.

Thanks

ggilbert · ‎02-27-2007

Warren,

You are correct - You would just need a VPN concentrator for VPN access.

FYI - Cisco VPN concentrators are End-of-life at the moment.

It would be a better idea just to get an ASA 5505 instead of the concentrator 3005.

Cheers

Gilbert

Rate this post, if it helps!

warren-chan · ‎02-28-2007

Hi Gilbert,

So what if the internal PC needs to access internet, what is the common way to deploy a PIX and a VPN CON?

l would think to put a PIX along side with VPN CON. But I think I read something like putting the VPN CON behind the PIX. I tried the latter but did not get it to work.

Could you please advise?

Thank

ggilbert · ‎02-28-2007

Hi,

Most of the time a concentrator and PIX are used in series -

Concentrator on a different segment (DMZ), of the PIX firewall.

So, the concentrator real IP will be an RFC 1918, but it will be NATted via the PIX firewall. One to One - NAT.

Once you have the one to one NAT configured, then you would need to allow the protocols like UDP 500, ESP & NAT-T to go through the firewall so that clients or remote devices can build IPSec sessions.

Or you can just use the PIX firewall to terminate VPN connections instead of the concentrator.

All decisions depend on cost, security, reliability, back-up scenarios, network architecture, etc..

Rate this topic, if it helps

Cheers

Gilbert

warren-chan · ‎02-28-2007

Are you aware of any document on this setup in Cisco site? If yes, could you please point it to me.

Thanks again.

warren-chan · ‎02-28-2007

Hi Gilbert,

BTW, I use VPN CON simply for its webVPN functionality, NOT IPsec.

ggilbert · ‎02-28-2007

Warren,

In the webvpn functionality, are using Citrix metraframe apps. If so, it is better to put the concentrator in parallel to the PIX.

Due to IP address getting NATted and the certificates used by Citrix, etc..

There is know document on the website as to how to configure the concentrator and PIX in different scenarios but there is an FAQ for VPN 3000 concentrator.

http://www.cisco.com/warp/public/471/vpn_3000_faq.shtml

Rate this post, if it helped!

Cheers

Gilbert

warren-chan · ‎02-28-2007

OK, as said before, l need to access the office using webVPN so l need VPN CON.

So if l configure the 2 devices in parallel as below, from the point of view of security, it should be OK.

internet IP --- PIX ------

internet Office

internet IP --- VPN CON --

Thanks again.

Warren

warren-chan · ‎02-28-2007

My previous illustration may be confusing....

internet --- internet IP --- PIX --- office

internet ---internet IP --- VPN CON -- office

ggilbert · ‎02-28-2007

Warren,

So you are placing the VPN concentrator and the PIX in parallel.

That should not be a problem. Make sure you have the concentrator outside HTTP access blocked for administrative access or just use IP specific access rules to allow HTTP admin access.

Cheers

gilbert

Rate this post!!