cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
453
Views
8
Helpful
6
Replies

Placing 3005VPN behind firewall

spham68
Level 1
Level 1

Hi all,

I am wondering if someone out there had setup a 3005 VPN behind a firewall.

Is there any performance hits with this design? And how would setup the subnets from the internal interface of the firewall to the servers.

77.1.3.x 77.1.3.x 79.1.2.x 79.1.2.x

FW Int -->3005 ext --->3005 int, web server

vlan1 vlan1 vlan2 vlan2

If I setup this way, how does web server respond to an out bound request.

Is the 3005 acts as router in that case?

Steve

6 Replies 6

thisisshanky
Level 11
Level 11

VPN conc from CISCO has routing functionality. It has its own routing table, also it supports routing protocols like OSPF and RIP. In this case, the packets from web server will be routed to the firewall interface. In the VPN concentrator, you should specify the default gateway as the Firewall inside interface. The following link should help in configuring the default gateway.

http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/3_6/config/interfac.htm#xtocid11

For VPN connections to successfully pass through the Firewall, you should permit IP protocol 50 and 51 (AH and ESP) and also UDP port 500 over which IKE negotiations take place.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

Thanks for the reply.

Steve

So, I would define default gateway on the server as IP address of internal interface of 3005 conc.

Can you point me out where I can find a network diagram for this setup?

Steve

I assume, that since you have vlan 1,2,3,4 in the inside network, you might be using a router for intervlan routing also. This could be either a layer 2 switch with a layer 3 external router or a layer 3 switch. If thats the case, you might want to set the default gateway as that router itself. If there is no router in between the VPN conc and the inside lan, you can set it to vpn concentrator inside ipaddress.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

That is what I am thinking.

Router

|

|

Firewall ext Interface

|

|

Firewall internal interface

|

|

|

3005 VPN Conc ext interface

| gw=IP of fw internal interface

| vlan1

|

3005 VPN Conc internal interface

| | |

| | | vlan2

server1 server2 server3

gw=IP of 3005 internal interface

Does 3005 vpn allow pass through if it is not vpn traffics?

Also correct me if the configuration is wrong.

Steve

You can set filters at the VPN interface to decide which traffic will be used for VPN, while which needs to be bypassed.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: