PIX & VPN 3005 Concentrator Deployment

Unanswered Question
Nov 26th, 2008
User Badges:

Hi,


I now have a PIX 515E and VPN 3005 concentrator. Is it more secure to put it in line or to have them run parrellel (IE both have public facing interfaces). As the VPN is end of software line now ? Only going to be running webVPN from it - other VPN clients are on PIX.


Thanks


Ed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Wed, 11/26/2008 - 04:05
User Badges:
  • Blue, 1500 points or more

the last time i checked, the cisco recommended way was to have the public interface of the vpn 3000 to be facing public and have the internal interface on a dmz. you could easily put the public interface on a dmz also, permitting access through the PIX as you see fit.

to run webvpn on the 3005, you need 64MB of ram btw.

edw Wed, 11/26/2008 - 04:30
User Badges:

Hi,


Thanks for that. I knew about the public interface didn't relise I could put the private on the DMZ - thats a good idea. The web sites are internal thou. So is there a security risk having the inside of the VPN Concentrator on the DMZ and then have to jump through too the inside interface?? Or would it be better to have traffic flow through PIX into DMZ and then through the Concentrator to the inside interface which is inside.


Thinking DMZ to Inside on separate vlan...


The reason I ask is obviously the VPN Concentrators are end of line so still want protection for this sort time until I get budget for a ASA. The concentrator is a bit different to the CLI I'm used to.


Thanks


Ed

Jon Marshall Wed, 11/26/2008 - 05:01
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Ed


I would always recommend having the inside interface of your concentrator (the private interface) on a DMZ of your firewall rather than allow it to connect straight through to the inside.


As for the outside interface, i have run both sort of setups. The easiest tends to be running them alongside especially if it means you can avoid any NAT issues which you might face if you placed it behind your ASA.


Make sure that the public interface only accepts the ports/protocols that you need and if you have access to the upstream router (you may not as it could be controlled by your ISP) you could add an entry into your acl that only allows those ports/protocols to the public interface of your VPN concentrator and drops all other traffic destined for that IP address.


Jon

edw Wed, 11/26/2008 - 05:17
User Badges:

Hi,


Thanks for this very useful! Unfortantly I won't have any security on the public as this is on a switch between my ISP and my network. However, I'm assuming the Concentrator is good enough to hold off attacks??


I could look at putting it behind my first router, but I need additional cards for this.


One question and probably silly, if my inside interface is on the DMZ - it doesn't matter if I also have other public web servers etc on this zone ?


Thanks Again


Ed

Jon Marshall Wed, 11/26/2008 - 06:06
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Ed


"if my inside interface is on the DMZ - it doesn't matter if I also have other public web servers etc on this zone ?"


If the people using the VPN concentrator do not need to communicate with these public web servers and your switch supports it you could look into private vlans on the switch that hosts your DMZ.


Jon

Actions

This Discussion