I now have a PIX 515E and VPN 3005 concentrator. Is it more secure to put it in line or to have them run parrellel (IE both have public facing interfaces). As the VPN is end of software line now ? Only going to be running webVPN from it - other VPN clients are on PIX.
the last time i checked, the cisco recommended way was to have the public interface of the vpn 3000 to be facing public and have the internal interface on a dmz. you could easily put the public interface on a dmz also, permitting access through the PIX as you see fit.
to run webvpn on the 3005, you need 64MB of ram btw.
Thanks for that. I knew about the public interface didn't relise I could put the private on the DMZ - thats a good idea. The web sites are internal thou. So is there a security risk having the inside of the VPN Concentrator on the DMZ and then have to jump through too the inside interface?? Or would it be better to have traffic flow through PIX into DMZ and then through the Concentrator to the inside interface which is inside.
Thinking DMZ to Inside on separate vlan...
The reason I ask is obviously the VPN Concentrators are end of line so still want protection for this sort time until I get budget for a ASA. The concentrator is a bit different to the CLI I'm used to.
I would always recommend having the inside interface of your concentrator (the private interface) on a DMZ of your firewall rather than allow it to connect straight through to the inside.
As for the outside interface, i have run both sort of setups. The easiest tends to be running them alongside especially if it means you can avoid any NAT issues which you might face if you placed it behind your ASA.
Make sure that the public interface only accepts the ports/protocols that you need and if you have access to the upstream router (you may not as it could be controlled by your ISP) you could add an entry into your acl that only allows those ports/protocols to the public interface of your VPN concentrator and drops all other traffic destined for that IP address.
Thanks for this very useful! Unfortantly I won't have any security on the public as this is on a switch between my ISP and my network. However, I'm assuming the Concentrator is good enough to hold off attacks??
I could look at putting it behind my first router, but I need additional cards for this.
One question and probably silly, if my inside interface is on the DMZ - it doesn't matter if I also have other public web servers etc on this zone ?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :