Router is connected to an Ad-Tran TSU-120 CSU/DSU.
CSU/DSU is connected to the Internet via T-1.
T-1 --> CSU/DSU --> 1720 --> PIX --> LAN (switches).
I now have a Cisco 3005 VPN Concentrator to add to the mix. According to documentation the 3005 should be placed on a new subnet with the firewall, both behind the 1720 router.
T-1 --> CSU/DSU --> 1720 --> PIX / VPN --> LAN.
Is there a way to place the 3005 directly behind the firewall on the private network so I don't need to buy another switch, but still have a secure connection? Is this a bad idea? How does it affect outbound traffic from the private network?
You should place the 3000 on the DMZ of the Firewall if you donot have another Interface on it, then you can put it in front of the Firewall and put IOS Firewall on the router aswell, thats way no traffic will be bypassing the firewall, if you place the concentrator on the inside of firewall then all traffic coming in through the VPN will be bypasssing the firewall as that traffic will not be inspected. For further help kindly look at the different SAFE design options at
Sounds great so far. No DMZ so it'd have to go before the firewall then. Do I really need to setup firewalling on the router? And will putting the concentrator in this configuration affect outbound internet traffic from the private LAN?
You could also place the concentrator's outside interface on 3rd pix interface, such as a dmz, and put the concentrator's inside interface directly on the inside LAN. I've had it running 2 years this way with no problems. You will still need to open the ports on the pix. The only caveat is if you allow connected vpn users to go to the internet thru the concentrator, the pix will have to handle that traffic twice. I have about a max of 75 concurrent connections on any given day and it hasn't had any noticeable degradation to the pix or internet connection...then again I have a 10Mb internet connection too. I have 1300 internal users.
I have 2 concerns at this point depending on the position in the setup:
1). If the 3005 is placed before the firewall in the chain, how do I set up routing to flow from the router to the 3005 to the firewall to the lan? Do I need a seperate subnet defined for the 3005 private port to PIX public port connection?
For example, right now I have:
T-1 to router. Router internal IP = 22.214.171.124
Router to Pix. Pix public = 126.96.36.199 & Pix private = 192.168.1.1
Pix to LAN (192.168.x.x).
If I add the 3005 in serial, do I need to fabricate another internal subnet for the pix to 3005 connection? And how do I set up that route on the router (or don't I need to worry about it)?
2). If I run in parallel (which seems easier to route), isn't that configuration leaving my private LAN open to attack via VPN connections that are bypassing the firewall entirely? Or is security implied by the nature of the 3005, thereby making a firewall unecessary for these connections?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :