Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 535 and VPN Concentrator 3000 Series

Can you please tell me if PIX 535 supports hairpinning? How do you configure the VPN concentrator using just one (1) interface connecting to PIX 535, instead of using both public and private interfaces connecting parallel to the PIX 535?

Thanks,

Phil

3 REPLIES
New Member

Re: PIX 535 and VPN Concentrator 3000 Series

The PIX model number does not matter. It is the OS version. I believe that the new 7.x version does have some capability that will let you configure hairpining of sorts. But I do not believe that it works like a router does hairpining. You may have to read the 7.x release notes for confirming this.

As for the 3000 concentrator doing hairpining, yes, it does work. Just today I posted on another conversation the solution.

Run a search for "on-a-stick vpn concentrator" and you will get the post. It is one of the 2 that are there in the forum.

New Member

Re: PIX 535 and VPN Concentrator 3000 Series

Is there a security concern on running "on-a-stick" mode versus standard/regular mode?

Thanks,

Phil

New Member

Re: PIX 535 and VPN Concentrator 3000 Series

Yes there is because you will have to open the Public filter on the concentrator to unencrypted traffic.

You will need to analyze the vulnerability of the concentrator and the traffic that goes unencrypted. One of the key points would be determining the security of the network into which the unencrypted traffic flows.

Further, it is more a security risk if this concentrator is connected to the Internet. That just increases the factor of how many more people can reach your concentrator. Even if the box is on an intranet, it is a matter of concern because statistically 70% odd of security breaches are internal.

Having worked with VPN for a few years now and also with security, I'll take the risk of giving some advice. If possible, avoid a on-a-stick configuration. Quite often, it is cheaper to add another internal router to the network than consolidate security on a network to support a device like the concentrator with "on-a-stick" configuration.

If you have to absolutely do it, then ensure that the unencrypted traffic is restricted with really tight measures and definitions and that the path it traverses has stringent security policies applied.

121
Views
0
Helpful
3
Replies
CreatePlease login to create content