Can you please tell me if PIX 535 supports hairpinning? How do you configure the VPN concentrator using just one (1) interface connecting to PIX 535, instead of using both public and private interfaces connecting parallel to the PIX 535?
The PIX model number does not matter. It is the OS version. I believe that the new 7.x version does have some capability that will let you configure hairpining of sorts. But I do not believe that it works like a router does hairpining. You may have to read the 7.x release notes for confirming this.
As for the 3000 concentrator doing hairpining, yes, it does work. Just today I posted on another conversation the solution.
Run a search for "on-a-stick vpn concentrator" and you will get the post. It is one of the 2 that are there in the forum.
Yes there is because you will have to open the Public filter on the concentrator to unencrypted traffic.
You will need to analyze the vulnerability of the concentrator and the traffic that goes unencrypted. One of the key points would be determining the security of the network into which the unencrypted traffic flows.
Further, it is more a security risk if this concentrator is connected to the Internet. That just increases the factor of how many more people can reach your concentrator. Even if the box is on an intranet, it is a matter of concern because statistically 70% odd of security breaches are internal.
Having worked with VPN for a few years now and also with security, I'll take the risk of giving some advice. If possible, avoid a on-a-stick configuration. Quite often, it is cheaper to add another internal router to the network than consolidate security on a network to support a device like the concentrator with "on-a-stick" configuration.
If you have to absolutely do it, then ensure that the unencrypted traffic is restricted with really tight measures and definitions and that the path it traverses has stringent security policies applied.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :