Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Placement of VPN concentrator with PIX

I have seen designs with the VPN concentrator in front of the PIX, behind the PIX and on the DMZ. What design factors determine where the concentrator should be placed?



Re: Placement of VPN concentrator with PIX

The Cisco docs show the concentrator inline (parallel) to the firewall. I would follow this design.

Community Member

Re: Placement of VPN concentrator with PIX

Hi !

If you want to trust the concentrator on filtering traffic from the outside, you can use the design as suggested in the drawing. I prefere two other design possibilities :

a) Place the concentrator with the outside parallel to the outside of your firewall. Place the inside to a seperate interface of your firewall. Only this way you have control over the vpn sessions comming into your network. Many comapnies use VPN for giving support access to remote companies. If you implement the "parallel" design, these users would have full access to your whole network ... You can implement some filtering on the concentrater too (even on a per user basis), but you'll have different policy distribution points. A centralised solution is prefered in most cases.

b) If you even don't trust the outside filter of the concentrator connect the outside of the concentrator to one interface of the firewall and the inside to an other interface of the firewall. Only permit ESP, AH and ISAKMP through the firewall for IPs connecting to the outside of the concentrator. Use the filtering as described above for the inside interface ...

Kind regards,

Boris Bertelsons

CCDP, CSS1, CCIE #6373

CreatePlease to create content