VPN - to PIX or Router or Both

Unanswered Question
Jul 16th, 2006
User Badges:


I am going through setting up VPNs. I have a security question thou. I have a 3660 and PIX. The 3660 is my outside router which is connected to the outside interface.

I NAT from the instead to another range between the PIX and 3660 and then NAT again from the 3660 to internet addresses.

I have this question - which is better to let the PIX outside interface have a internet IP therefore allowing VPN connection to the PIX or getting VPNs to connect to the 3660?

Is there a way to connect to the 3660 then pass it through to the PIX for auth ??

Which is the higher security risk? Would it be better to have a VPN accellorator in either and which one has the better VPN security with these cards. The PIX is a 520.

Thanks for any pointers


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
spremkumar Sun, 07/16/2006 - 22:36
User Badges:
  • Red, 2250 points or more


I would suggest to bring the PIX outside interface onto the reachable public network so that your vpn can be established without any probs.

Do block unecessary ports in 3660 router allowing only the protocols and ports required to esablish the vpn connectivity.

PIX by default takes care of the security part so keep the settings intact.The only addition will be the new VPN Config and the changes in the outside interface which you need to bring out so that it can be reachable from your remote peers.


edw Mon, 07/17/2006 - 04:28
User Badges:

Thanks for this - so would it be a good idea to get a VAC+ or/and AIM-VPN/HPII for the 3660 ?

I have been reading that the PIX 7 is supporior to the PIX6.3 and that if I had a choice between 6.3 and a router it probably should be a router ??? Is this true ?

Just want to make it as secure as possible.




This Discussion