We have many LAN-to-LAN's and client VPN sessions, but wondered is there any way or port blocking or creating rules like a firewall on it? our Concentrators private port goes straight into our LAN and the public is straight to the Internet (no fireall in between). there must be away to lock this connections down a bit?
there is a way to do something like 'firewalling' on a Cisco Concentrator 3k. On the web-config gui go to "Configuration | Policy Management | Traffic Management". There you can create "Rules" ,if needed use "Network Lists" while/before doing that. Than group the different rules to the needed "Filter" and assign then to the physical interfaces.
Do you mean if it is necessary to put a separate firewall device in front of the concentrator?
If so, that depends on your requirements. In some cases, eg. for troubleshooting, it could be helpful to have the possibility to take a look at the traffic in front of the concnetrator. But as mentioned above, the concentrator itself has the ability to do port filtering.
What is the best way to have the Concentrator located, should it work with a firewall or as you say just use the port blocking/filtering? If so how can I configure it so certain LAN-to-LAN's or client VPN have different open ports than others? As customers have different requirments on access needs?
If you run the concentrator behind a firewall you have to open the appropriate ports and protocols (like esp or upd 500). You should also thing about NAT if you use it, there could be problems due to this. But only using the filter capabilities of the concentrator would work fine to.
You can configure a filter to restrict the access for a L2L and apply it to the connection under "Configuration | Tunneling and Security | IPSec | LAN-to-LAN" to the point "Filter".
On the concentrators I know there are filters at least at the public interface. And in some cases there is also a firewall (router with acl) in front of the concentrator.
I would like to ask a similar question. I have request to allow TCP/UDP ports 1100 and 1105 bidirectionally. Does this mean that I will need to create 4 seperate rules one each way for TCP and one each way for UDP and then assign them one filter?
Any help would be really appreciated. I tried to go through the L2L rule and it did not work.
You have to do it cautiously. If the source and destination ports are not correct the traffic will be blocked. You also need to identify if ports 1100 and 1105 are the destination for the inbound traffic or outbound traffic. Assuming that these are the destination ports for the inbound traffic then you need to do the following :
1. Create a rule with source IP and port as any. Destination IP would be the inside IP (you have to consider the NAT/PAT as well) and dest port would be TCP 1100.
2. Same for 1105.
3. Another rule with source IP as the inside IP and source post as TCP 1100 and destination IP and port as any.
4. Same for 1105.
Follow the above steps for UDP traffic. Assign these to a filter. It could either be the public filter or a specific filter for the LAN-LAN tunnel.
Please let me know if you need further information on this.
Please rate if it helps,