Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
323
Views
0
Helpful
5
Replies

PIX & VPN 3005 Concentrator Deployment

edw
Level 1
Level 1

‎11-26-2008 02:38 AM - last edited on ‎03-25-2019 05:41 PM by Community Manager

Hi,

I now have a PIX 515E and VPN 3005 concentrator. Is it more secure to put it in line or to have them run parrellel (IE both have public facing interfaces). As the VPN is end of software line now ? Only going to be running webVPN from it - other VPN clients are on PIX.

Thanks

Ed

Labels:
0 Helpful
5 Replies 5

srue
Level 7
Level 7

‎11-26-2008 04:05 AM

the last time i checked, the cisco recommended way was to have the public interface of the vpn 3000 to be facing public and have the internal interface on a dmz. you could easily put the public interface on a dmz also, permitting access through the PIX as you see fit.

to run webvpn on the 3005, you need 64MB of ram btw.

0 Helpful

edw
Level 1
Level 1
In response to srue

‎11-26-2008 04:30 AM

Hi,

Thanks for that. I knew about the public interface didn't relise I could put the private on the DMZ - thats a good idea. The web sites are internal thou. So is there a security risk having the inside of the VPN Concentrator on the DMZ and then have to jump through too the inside interface?? Or would it be better to have traffic flow through PIX into DMZ and then through the Concentrator to the inside interface which is inside.

Thinking DMZ to Inside on separate vlan...

The reason I ask is obviously the VPN Concentrators are end of line so still want protection for this sort time until I get budget for a ASA. The concentrator is a bit different to the CLI I'm used to.

Thanks

Ed

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to edw

‎11-26-2008 05:01 AM

Ed

I would always recommend having the inside interface of your concentrator (the private interface) on a DMZ of your firewall rather than allow it to connect straight through to the inside.

As for the outside interface, i have run both sort of setups. The easiest tends to be running them alongside especially if it means you can avoid any NAT issues which you might face if you placed it behind your ASA.

Make sure that the public interface only accepts the ports/protocols that you need and if you have access to the upstream router (you may not as it could be controlled by your ISP) you could add an entry into your acl that only allows those ports/protocols to the public interface of your VPN concentrator and drops all other traffic destined for that IP address.

Jon

0 Helpful

edw
Level 1
Level 1
In response to Jon Marshall

‎11-26-2008 05:17 AM

Hi,

Thanks for this very useful! Unfortantly I won't have any security on the public as this is on a switch between my ISP and my network. However, I'm assuming the Concentrator is good enough to hold off attacks??

I could look at putting it behind my first router, but I need additional cards for this.

One question and probably silly, if my inside interface is on the DMZ - it doesn't matter if I also have other public web servers etc on this zone ?

Thanks Again

Ed

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to edw

‎11-26-2008 06:06 AM

Ed

"if my inside interface is on the DMZ - it doesn't matter if I also have other public web servers etc on this zone ?"

If the people using the VPN concentrator do not need to communicate with these public web servers and your switch supports it you could look into private vlans on the switch that hosts your DMZ.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card