cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
303
Views
0
Helpful
5
Replies

Rookie VPN design

waifurchin
Level 1
Level 1

Private network 192.168.1.x (using Cisco switches).

LAN is connected to a Cisco PIX 506.

PIX is connected to a Cisco 1720 router.

Router is connected to an Ad-Tran TSU-120 CSU/DSU.

CSU/DSU is connected to the Internet via T-1.

T-1 --> CSU/DSU --> 1720 --> PIX --> LAN (switches).

I now have a Cisco 3005 VPN Concentrator to add to the mix. According to documentation the 3005 should be placed on a new subnet with the firewall, both behind the 1720 router.

T-1 --> CSU/DSU --> 1720 --> PIX / VPN --> LAN.

Is there a way to place the 3005 directly behind the firewall on the private network so I don't need to buy another switch, but still have a secure connection? Is this a bad idea? How does it affect outbound traffic from the private network?

Thanks.

5 Replies 5

awaheed
Cisco Employee
Cisco Employee

Hi,

You should place the 3000 on the DMZ of the Firewall if you donot have another Interface on it, then you can put it in front of the Firewall and put IOS Firewall on the router aswell, thats way no traffic will be bypassing the firewall, if you place the concentrator on the inside of firewall then all traffic coming in through the VPN will be bypasssing the firewall as that traffic will not be inspected. For further help kindly look at the different SAFE design options at

http://www.cisco.com/warp/public/779/largeent/issues/security/safe.html

Hope this helps,

Regards,

Aamir

-=-

Sounds great so far. No DMZ so it'd have to go before the firewall then. Do I really need to setup firewalling on the router? And will putting the concentrator in this configuration affect outbound internet traffic from the private LAN?

You do not need to put the concentrator behind a firewall for it to work. It is more a security option.

If you do decide to put the concentrator behind a firewall, make sure you allow the ports required for ipsec negotiation through it.

Native ipsec -tcp 50 and udp 500

ipsec over udp - udp 500 and whatever udp port ou set.

Nat tanspaency tcp- whateve tcp port you set.

New featue 3.6 udp nat transparenc - udp 4500.

Regards,

bbenton
Level 1
Level 1

You could also place the concentrator's outside interface on 3rd pix interface, such as a dmz, and put the concentrator's inside interface directly on the inside LAN. I've had it running 2 years this way with no problems. You will still need to open the ports on the pix. The only caveat is if you allow connected vpn users to go to the internet thru the concentrator, the pix will have to handle that traffic twice. I have about a max of 75 concurrent connections on any given day and it hasn't had any noticeable degradation to the pix or internet connection...then again I have a 10Mb internet connection too. I have 1300 internal users.

No 3rd interface (e.g. no DMZ possible).

I have 2 concerns at this point depending on the position in the setup:

1). If the 3005 is placed before the firewall in the chain, how do I set up routing to flow from the router to the 3005 to the firewall to the lan? Do I need a seperate subnet defined for the 3005 private port to PIX public port connection?

For example, right now I have:

T-1 to router. Router internal IP = 66.1.2.3

Router to Pix. Pix public = 66.1.2.4 & Pix private = 192.168.1.1

Pix to LAN (192.168.x.x).

If I add the 3005 in serial, do I need to fabricate another internal subnet for the pix to 3005 connection? And how do I set up that route on the router (or don't I need to worry about it)?

2). If I run in parallel (which seems easier to route), isn't that configuration leaving my private LAN open to attack via VPN connections that are bypassing the firewall entirely? Or is security implied by the nature of the 3005, thereby making a firewall unecessary for these connections?

Thanks for all the help so far.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: