12-22-2005 08:59 AM - edited 02-21-2020 02:10 PM
Is it necessary to put a VPN 3000 server behind a firewall ? Are there any caveats when implementing lan-to-lan and client connections through a firewall to the VPN server?
12-22-2005 09:57 AM
Alan
It is not necessary to put a VPN 3000 concentrator behind a firewall. It will work just fine outside a firewall, and can be put inside the firewall if desired. From a personal perspective I would generally prefer to put the concentrator outside of the firewall because if the concentrator is inside the firewall then the firewall will only see encrypted traffic and will not be able to examine the data being transmitted and determine if it is valid or not.
If you do put the concentrator inside the firewall the major caveat is that you must allow the IPSec traffic through the firewall. Determining what that traffic should be will depend somewhat on how you have configured the concentrator. But in general you should allow ISAKMP (UDP port 500) and ESP and/or AH (IP protocols 50 and 51). I think the other caveat is what I said in the previous paragraph that the usefulness of the firewall is diminished if it can not see and evaluate the data being sent over the VPN.
HTH
Rick
12-22-2005 11:22 AM
Hello Rick,
This is helpful. In either scenario, you are filtering traffic through the firewall encrypted or in the clear. Have you ever encountered the VPN 3000 deployed on its own without a firewall ?
Are there exposures if the VPN server is configureed for lan-to-lan or client access only ?
I have gathered from other reading that UDP 4500 is needed for the Ipsec-T traffic. Is this necessary ?
Thanks
Alan
12-22-2005 03:57 PM
i prefer to deploy the concentrator behind a firewall.
the main reason is that the concentrator has no built-in firewall to protect itself, such as dos attack.
assuming the firewall has more than 3 interfaces, then both public and private interfaces of the concentrator can be connected to the firewall different interfaces. that is, the firewall is able to protect the concentrator, and to inspect the traffic in clear text.
e.g.
firewall interface 1 <--> internet
firewall interface 2 <--> private subnet
firewall interface 3 <--> concentrator public
firewall interface 4 <--> concentrator private
to permit the concentrator traffic on the firewall,
udp 500
udp 4500
esp
12-23-2005 05:50 AM
Thanks for your insight into this.
12-23-2005 05:55 AM
One more question, I am assuming the ports and services permit client as well as lan-to-lan access, correct ?
For this conversation, I have three interfaces on my server, public, private and external.
Thanks again.
12-24-2005 06:04 AM
yes, both client and lan-lan vpn are configured on the concentrator.
12-27-2005 11:51 AM
Thanks, I am clear now on my implementation options.
12-27-2005 03:31 PM
it's good to learn that the info is useful.
according to cisco,
Why should I rate posts?
If you see a post that you think deserves recognition, please take a moment to rate it.
You'll be helping yourself and others to quickly identify useful content -- as determined by members. And you'll be ensuring that people who generously share their expertise are properly acknowledged. As posts are rated, the value of those ratings are accumulated as "points" and summarized on the Member Profile page and on each member's Preferences page.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: