Re: VPN 3000 behind any firewall

alanbcameron · ‎12-22-2005

Is it necessary to put a VPN 3000 server behind a firewall ? Are there any caveats when implementing lan-to-lan and client connections through a firewall to the VPN server?

Richard Burts · ‎12-22-2005

Alan

It is not necessary to put a VPN 3000 concentrator behind a firewall. It will work just fine outside a firewall, and can be put inside the firewall if desired. From a personal perspective I would generally prefer to put the concentrator outside of the firewall because if the concentrator is inside the firewall then the firewall will only see encrypted traffic and will not be able to examine the data being transmitted and determine if it is valid or not.

If you do put the concentrator inside the firewall the major caveat is that you must allow the IPSec traffic through the firewall. Determining what that traffic should be will depend somewhat on how you have configured the concentrator. But in general you should allow ISAKMP (UDP port 500) and ESP and/or AH (IP protocols 50 and 51). I think the other caveat is what I said in the previous paragraph that the usefulness of the firewall is diminished if it can not see and evaluate the data being sent over the VPN.

HTH

Rick

HTH

Rick

acameron12 · ‎12-22-2005

Hello Rick,

This is helpful. In either scenario, you are filtering traffic through the firewall encrypted or in the clear. Have you ever encountered the VPN 3000 deployed on its own without a firewall ?

Are there exposures if the VPN server is configureed for lan-to-lan or client access only ?

I have gathered from other reading that UDP 4500 is needed for the Ipsec-T traffic. Is this necessary ?

Thanks

Alan

jackko · ‎12-22-2005

i prefer to deploy the concentrator behind a firewall.

the main reason is that the concentrator has no built-in firewall to protect itself, such as dos attack.

assuming the firewall has more than 3 interfaces, then both public and private interfaces of the concentrator can be connected to the firewall different interfaces. that is, the firewall is able to protect the concentrator, and to inspect the traffic in clear text.

e.g.

firewall interface 1 <--> internet

firewall interface 2 <--> private subnet

firewall interface 3 <--> concentrator public

firewall interface 4 <--> concentrator private

to permit the concentrator traffic on the firewall,

udp 500

udp 4500

esp

acameron12 · ‎12-23-2005

Thanks for your insight into this.

acameron12 · ‎12-23-2005

One more question, I am assuming the ports and services permit client as well as lan-to-lan access, correct ?

For this conversation, I have three interfaces on my server, public, private and external.

Thanks again.

jackko · ‎12-24-2005

yes, both client and lan-lan vpn are configured on the concentrator.

acameron12 · ‎12-27-2005

Thanks, I am clear now on my implementation options.

jackko · ‎12-27-2005

it's good to learn that the info is useful.

according to cisco,

Why should I rate posts?

If you see a post that you think deserves recognition, please take a moment to rate it.

You'll be helping yourself and others to quickly identify useful content -- as determined by members. And you'll be ensuring that people who generously share their expertise are properly acknowledged. As posts are rated, the value of those ratings are accumulated as "points" and summarized on the Member Profile page and on each member's Preferences page.