Where do I place the VPN 3000 Concentrator in regard to my network firewall

Unanswered Question
Nov 15th, 2007
User Badges:

While the answer under the FAQ is:


The VPN 3000 Concentrator can be placed in front of, behind, parallel to, or in the demilitarized zone (DMZ) of a firewall. It is not advisable to have the public and private interfaces in the same virtual LAN (VLAN).


What does the "It is not advisable to have the public and private interfaces in the same virtual LAN (VLAN)." means?


I am setting up a LAN-to-LAN IPsec VPN VPN Concentrator 3005 for a client and they are conern that if we put the device in front of the firewall, malicious people could get to their LAN via the Concentrator's public interface.


Is this the case?

Thanks,

David

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 11/15/2007 - 10:24
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi David


There are generally 2 ways i have seen VPN concentrators deployed.


1) Public interface on one DMZ behind the firewall. Private interface on another DMZ behind firewall. To get to the public interface you have to pass through the firewall.


2) Public interface parallel with firewall ie. publci interface is usually assigned an IP addresss out of the same subnet as the outside interface of the firewall. Private interface connected to DMZ hanging off the firewall.


I would not want to have the private interface connecting straight into the LAN, rather in both 1 & 2 it should be connected to a DMZ.


With option 1 you can add a rule on your firewall only allow the relevant IPSEC ports to the public interface of your concentrator. However sometimes the firewall can be more of a hindrance than a help especially if you are using a lot of NAT


With option 2 you need to make sure that only the IPSEC protocols are accepted on the public interface. No problems with NAT at your end. If you happen to have control over your border router upstream of the firewall then you can add an access-list rule to only allow IPSEC ports to the public interface of your concentrator.


Either way is acceptable, the key thing being that common to both is the need to have the private interface on a DMZ.


HTH


Jon

Actions

This Discussion