×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Placing 3005VPN behind firewall

Unanswered Question
Sep 24th, 2002
User Badges:


Hi all,


I am wondering if someone out there had setup a 3005 VPN behind a firewall.

Is there any performance hits with this design? And how would setup the subnets from the internal interface of the firewall to the servers.



77.1.3.x 77.1.3.x 79.1.2.x 79.1.2.x

FW Int -->3005 ext --->3005 int, web server

vlan1 vlan1 vlan2 vlan2


If I setup this way, how does web server respond to an out bound request.

Is the 3005 acts as router in that case?


Steve

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
thisisshanky Tue, 09/24/2002 - 07:44
User Badges:
  • Purple, 4500 points or more

VPN conc from CISCO has routing functionality. It has its own routing table, also it supports routing protocols like OSPF and RIP. In this case, the packets from web server will be routed to the firewall interface. In the VPN concentrator, you should specify the default gateway as the Firewall inside interface. The following link should help in configuring the default gateway.


http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/3_6/config/interfac.htm#xtocid11


For VPN connections to successfully pass through the Firewall, you should permit IP protocol 50 and 51 (AH and ESP) and also UDP port 500 over which IKE negotiations take place.

spham68 Tue, 09/24/2002 - 10:55
User Badges:


So, I would define default gateway on the server as IP address of internal interface of 3005 conc.


Can you point me out where I can find a network diagram for this setup?


Steve

thisisshanky Tue, 09/24/2002 - 19:56
User Badges:
  • Purple, 4500 points or more

I assume, that since you have vlan 1,2,3,4 in the inside network, you might be using a router for intervlan routing also. This could be either a layer 2 switch with a layer 3 external router or a layer 3 switch. If thats the case, you might want to set the default gateway as that router itself. If there is no router in between the VPN conc and the inside lan, you can set it to vpn concentrator inside ipaddress.

spham68 Wed, 09/25/2002 - 11:07
User Badges:

That is what I am thinking.


Router

|

|

Firewall ext Interface

|

|

Firewall internal interface

|

|

|

3005 VPN Conc ext interface

| gw=IP of fw internal interface

| vlan1

|

3005 VPN Conc internal interface

| | |

| | | vlan2

server1 server2 server3

gw=IP of 3005 internal interface


Does 3005 vpn allow pass through if it is not vpn traffics?

Also correct me if the configuration is wrong.


Steve

thisisshanky Wed, 09/25/2002 - 19:19
User Badges:
  • Purple, 4500 points or more

You can set filters at the VPN interface to decide which traffic will be used for VPN, while which needs to be bypassed.

Actions

This Discussion