Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
331
Views
0
Helpful
4
Replies

VPN Termination

edw
Level 1
Level 1

‎07-23-2007 02:44 AM - last edited on ‎03-25-2019 05:38 PM by Community Manager

Hi,

New to the VPN side of things. I have a PIX 515E which, going outwards, connect to a C3660 unit then to the internet. I want to connect remote clients through VPN to the inside network. Now I understand I have to give the PIX a internet IP. So my questions is - is it safer to use a logical interface for this rather than the physical one ? Thus seperating the traffic. Whats the safest way ? or can i let it connect to the C3660 and pass it on ?

Thanks

Ed

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎07-23-2007 03:19 AM

Hi Ed

Generally speaking you would terminate the VPN clients on the physical outside interface of your pix firewall, there is no need to make it a logical interface.

Do you have spare public IP addresses for the pix and the inside interface of the router ?

Jon

0 Helpful

edw
Level 1
Level 1
In response to Jon Marshall

‎07-23-2007 04:52 AM

Hi,

Yep I have loads - well enough ;) I was wondering if its more secure to have a seperate one especially due to the access-lists etc. The way its setup is its a nat'ed address range from the pix to the router and then nat'ed to public ip in the router.

I rereading the VPN setup info from the manual. I'm getting a bit confused on access-lists.

It talks about crypto access-lists for static maps (which I assume is really only for Lan-Lan traffic. I'm unsure about dynamtic maps thou. How is it linked to which traffic to let through and which not too ??? The cisco examples are really poor.

Thanks

Ed

0 Helpful

edw
Level 1
Level 1
In response to edw

‎07-23-2007 08:34 AM

Hi,

I also have a problem with the authorization-server-group in the tunnel-group. It says "ERROR: Only "LOCAL", "radius" and "ldap" protocols are supported for WebVPN authorization." Yet this group is for IPSec not WebVPN??

Previous questions still stand ;)

Thanks for any answers to these questions?

Ed

0 Helpful

edw
Level 1
Level 1
In response to edw

‎07-24-2007 05:25 AM

I am getting stats from the appliance - I'm not making sense of them thou.

My VPN Client sens it has to retrasmit its packet. The PIX is saying its recieved 6788 In Octets and 8 In packets of which its dropped 8 packets? Where is the problem ?

Thanks

Ed

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card