×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

VPN Design Question

Unanswered Question
Dec 19th, 2002
User Badges:

We have a vendor who wants to setup a VPN 3005 to our Network. And I have never had the opportunity to set up a VPN. They request we plug directly into our LAN and to trust them. I do not feel comfortable with this plan. We have a PIX 510 Ver 5.1(2) and we NAT our private network to a class C public address. We do not restrict outbound traffic and only currently have two statics to permit inboud communications from the Internet. All the Cisco research I have found does not show the configuration I thought would work best. Is it possible to use a hub off of the dmz card of the pix and to have both the private and public ethernet ports of the 3005 plugged into the hub. This would keep the public and private ports protected and it would work through the PIX. Is this possible and what would I need to configure on the PIX to make it work?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jfrahim Thu, 12/19/2002 - 10:28
User Badges:
  • Cisco Employee,

Hi awiseley,

VPn really depends on your topology. First of all, what are you going to protect using the VPN connection? Your private LAN to to what ?

you can put the public interface of the concentrator behind the dmz interface of the pix firewall, but you have to connect the private interface of the concentrator towards the subnet which you want to protect using IPSec. Also, the private and public interfaces on the concentrators need to be in unique subnets

Hope that helps

Jazib

awiseley Thu, 12/19/2002 - 14:00
User Badges:

We are a company with a WAN consisting of (5) main sites and each site has (1) to (5) remote sites. The core routers are all connected with redundant links. All of those facilities access the Internet through our Coporate Internet connection. It is my responisbility to protect the coporate local LAN and all of the other facilities against improper access. Only (1) of the sites will need to access the VPN. Their communications will have to go through two routers and the PIX box to reach the DMZ and then out the Internet to establish the IPSec tunnel.


I understand about the public interface but, if my network is 10.0.0.0 /8 can't the public be 10.1.1.1 and the private be 10.2.1.1 and still plug into the hub? The data that would be going over the IPSec tunnel would be private data.

jfrahim Mon, 12/23/2002 - 11:09
User Badges:
  • Cisco Employee,

You cannot have 10.1.1.1/8 and 10.2.1.1/8 on the oublic and private interfaces on the concentrator. You can however, have 10.1.1.1/16 and 10.2.1.1/16 on the 2 interfaces

Hope that helps

Jazib

Actions

This Discussion