Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Placing 3005VPN behind firewall

Hi all,

I am wondering if someone out there had setup a 3005 VPN behind a firewall.

Is there any performance hits with this design? And how would setup the subnets from the internal interface of the firewall to the servers.

77.1.3.x 77.1.3.x 79.1.2.x 79.1.2.x

FW Int -->3005 ext --->3005 int, web server

vlan1 vlan1 vlan2 vlan2

If I setup this way, how does web server respond to an out bound request.

Is the 3005 acts as router in that case?

Steve

6 REPLIES

Re: Placing 3005VPN behind firewall

VPN conc from CISCO has routing functionality. It has its own routing table, also it supports routing protocols like OSPF and RIP. In this case, the packets from web server will be routed to the firewall interface. In the VPN concentrator, you should specify the default gateway as the Firewall inside interface. The following link should help in configuring the default gateway.

http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/3_6/config/interfac.htm#xtocid11

For VPN connections to successfully pass through the Firewall, you should permit IP protocol 50 and 51 (AH and ESP) and also UDP port 500 over which IKE negotiations take place.

Community Member

Re: Placing 3005VPN behind firewall

Thanks for the reply.

Steve

Community Member

Re: Placing 3005VPN behind firewall

So, I would define default gateway on the server as IP address of internal interface of 3005 conc.

Can you point me out where I can find a network diagram for this setup?

Steve

Re: Placing 3005VPN behind firewall

I assume, that since you have vlan 1,2,3,4 in the inside network, you might be using a router for intervlan routing also. This could be either a layer 2 switch with a layer 3 external router or a layer 3 switch. If thats the case, you might want to set the default gateway as that router itself. If there is no router in between the VPN conc and the inside lan, you can set it to vpn concentrator inside ipaddress.

Community Member

Re: Placing 3005VPN behind firewall

That is what I am thinking.

Router

|

|

Firewall ext Interface

|

|

Firewall internal interface

|

|

|

3005 VPN Conc ext interface

| gw=IP of fw internal interface

| vlan1

|

3005 VPN Conc internal interface

| | |

| | | vlan2

server1 server2 server3

gw=IP of 3005 internal interface

Does 3005 vpn allow pass through if it is not vpn traffics?

Also correct me if the configuration is wrong.

Steve

Re: Placing 3005VPN behind firewall

You can set filters at the VPN interface to decide which traffic will be used for VPN, while which needs to be bypassed.

112
Views
8
Helpful
6
Replies
CreatePlease to create content