09-24-2002 05:13 AM - edited 03-09-2019 12:26 AM
Hi all,
I am wondering if someone out there had setup a 3005 VPN behind a firewall.
Is there any performance hits with this design? And how would setup the subnets from the internal interface of the firewall to the servers.
77.1.3.x 77.1.3.x 79.1.2.x 79.1.2.x
FW Int -->3005 ext --->3005 int, web server
vlan1 vlan1 vlan2 vlan2
If I setup this way, how does web server respond to an out bound request.
Is the 3005 acts as router in that case?
Steve
09-24-2002 07:44 AM
VPN conc from CISCO has routing functionality. It has its own routing table, also it supports routing protocols like OSPF and RIP. In this case, the packets from web server will be routed to the firewall interface. In the VPN concentrator, you should specify the default gateway as the Firewall inside interface. The following link should help in configuring the default gateway.
http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/3_6/config/interfac.htm#xtocid11
For VPN connections to successfully pass through the Firewall, you should permit IP protocol 50 and 51 (AH and ESP) and also UDP port 500 over which IKE negotiations take place.
09-24-2002 10:08 AM
Thanks for the reply.
Steve
09-24-2002 10:55 AM
So, I would define default gateway on the server as IP address of internal interface of 3005 conc.
Can you point me out where I can find a network diagram for this setup?
Steve
09-24-2002 07:56 PM
I assume, that since you have vlan 1,2,3,4 in the inside network, you might be using a router for intervlan routing also. This could be either a layer 2 switch with a layer 3 external router or a layer 3 switch. If thats the case, you might want to set the default gateway as that router itself. If there is no router in between the VPN conc and the inside lan, you can set it to vpn concentrator inside ipaddress.
09-25-2002 11:07 AM
That is what I am thinking.
Router
|
|
Firewall ext Interface
|
|
Firewall internal interface
|
|
|
3005 VPN Conc ext interface
| gw=IP of fw internal interface
| vlan1
|
3005 VPN Conc internal interface
| | |
| | | vlan2
server1 server2 server3
gw=IP of 3005 internal interface
Does 3005 vpn allow pass through if it is not vpn traffics?
Also correct me if the configuration is wrong.
Steve
09-25-2002 07:19 PM
You can set filters at the VPN interface to decide which traffic will be used for VPN, while which needs to be bypassed.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: