cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
660
Views
0
Helpful
5
Replies

VPN 3005 Placement

david
Level 1
Level 1

I would like to some feedback on where everyone is placing their VPN Concentrators?

I know general deployment recommends running parallel to the inside and outside interface of the firewall. Is anyone running their outside VPN interface on a DMZ?

-dl

5 Replies 5

engel
Level 2
Level 2

Yes, we do it. I think the VPN 3000 doesn`t have DoS protection on itself, so it would be better to protect this interface(VPN3000`s outside I/F) by a firewall. Make sure you don`t get a bottleneck on the firewall.

dcwalker
Level 1
Level 1

We run inside the firewall as well. I was concerned that we would take a bit of a performance hit but so far it seems OK.

David,

If 3005 is placed behind a firewall, how would the servers behind 3005 respond to outbound requests?

Steve

Ours usually uses a L3 switch between the servers and the Concentrator/Firewall. Outbound traffic from the servers with destination to a public IP address) goes to the Firewall directly (this traffic will not be encrypted). Outbound traffic from the servers with a destination to the other encryption domain goes to the Concentrator (this traffic will be encrypted).

Regards,

Engel.

lr.moore
Level 1
Level 1

A third vote for standard deployment on a DMZ interface of the firewall. Protection from DoS, use a static NAT address so the real IP is hidden also...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: