What is the most secure way to configure a Concentrator 3000 with RADIUS authentiation and a Pix firewall for VPN access? Currently, the Concentrator "public" port is connected to a switch that resides outside the firewall and the "private" port connects to a seperate switch that the RADIUS server is connected to, which is inside the firewall.
This setup certainly does work as you have seen. My preference would probably be to have the public interface on the concentrator connected to a DMZ interface on the PIX. This way, you can control the traffic that gets to the public interface on the concentrator to only ESP, UDP-500, PPTP, etc...
The concentrator has filters that can perform this function but any processing that you can remove from the concentrator and off-load to the PIX should streamline the concentrator to do what it does best - encrypt and decrypt.
Dropping off the public interface is probably fine as well unless you have a need to filter the traffic from your VPN clients. If this is the case, then bringing the private interface into a 4th interface on the PIX is not unreasonable.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...