Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.


Which one is a better design?

Objective: Provide site-2-site VPN, remote access VPN and protect servers farm.

Which is a better design? I feel much

more comfortable having the VPN concentrator being protected by the firewall; however, at the same time,

both encrypted and decrypted traffics will have to traverse the firewall twice,

thus it may impact the firewall performance.

I prefer design_2 but I would like to get

comments from security gurus in this forum. Thanks.

New Member

Re: Which one is a better design?

Both designs are good since you are enforcing security for the VPN3K before it hits the internal network. I have seen too many implementations where the VPN3K private interface sits directly on the internal network without passing through a firewall interface. Design 2 is the best since the firewall enforces security on both the public and private interfaces. If you're worried about performance upgrade to a more robust model on the Checkpoint.

My 2 cents :)

New Member

Re: Which one is a better design?

If you have a router on the outside of the Concentrator with good ACL's then I would stick to design 1. I don't think you will really benefit from any added security from the Checkpoint in this case.

Kudos to having the inside interface connected through the firewall.

Hall of Fame Super Blue

Re: Which one is a better design?


I would go with design 1.

If you would like to protect the outside interface of the VPN3K then you could add some acl lines to only allow IPSEC/PPTP/L2TP (you pick) to the outside interface of your VPN3K.

One plus point to having the VPN3K alongside the firewall rather than behind it is that you do not have to worry about NAT issues which can present problems with IPSEC.

Key thing as pointed out already is that your private interface is filtered by the firewall before the traffic enters your internal LAN.


CreatePlease to create content