It is not necessary to put a VPN 3000 concentrator behind a firewall. It will work just fine outside a firewall, and can be put inside the firewall if desired. From a personal perspective I would generally prefer to put the concentrator outside of the firewall because if the concentrator is inside the firewall then the firewall will only see encrypted traffic and will not be able to examine the data being transmitted and determine if it is valid or not.
If you do put the concentrator inside the firewall the major caveat is that you must allow the IPSec traffic through the firewall. Determining what that traffic should be will depend somewhat on how you have configured the concentrator. But in general you should allow ISAKMP (UDP port 500) and ESP and/or AH (IP protocols 50 and 51). I think the other caveat is what I said in the previous paragraph that the usefulness of the firewall is diminished if it can not see and evaluate the data being sent over the VPN.
i prefer to deploy the concentrator behind a firewall.
the main reason is that the concentrator has no built-in firewall to protect itself, such as dos attack.
assuming the firewall has more than 3 interfaces, then both public and private interfaces of the concentrator can be connected to the firewall different interfaces. that is, the firewall is able to protect the concentrator, and to inspect the traffic in clear text.
firewall interface 1 <--> internet
firewall interface 2 <--> private subnet
firewall interface 3 <--> concentrator public
firewall interface 4 <--> concentrator private
to permit the concentrator traffic on the firewall,
If you see a post that you think deserves recognition, please take a moment to rate it.
You'll be helping yourself and others to quickly identify useful content -- as determined by members. And you'll be ensuring that people who generously share their expertise are properly acknowledged. As posts are rated, the value of those ratings are accumulated as "points" and summarized on the Member Profile page and on each member's Preferences page.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...