Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Concentrator 3000, RADIUS and a Pix Firewall.

What is the most secure way to configure a Concentrator 3000 with RADIUS authentiation and a Pix firewall for VPN access? Currently, the Concentrator "public" port is connected to a switch that resides outside the firewall and the "private" port connects to a seperate switch that the RADIUS server is connected to, which is inside the firewall.


Re: Concentrator 3000, RADIUS and a Pix Firewall.

This setup certainly does work as you have seen. My preference would probably be to have the public interface on the concentrator connected to a DMZ interface on the PIX. This way, you can control the traffic that gets to the public interface on the concentrator to only ESP, UDP-500, PPTP, etc...

The concentrator has filters that can perform this function but any processing that you can remove from the concentrator and off-load to the PIX should streamline the concentrator to do what it does best - encrypt and decrypt.

Dropping off the public interface is probably fine as well unless you have a need to filter the traffic from your VPN clients. If this is the case, then bringing the private interface into a 4th interface on the PIX is not unreasonable.

Hope this helps.