Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN 3005 Placement

I would like to some feedback on where everyone is placing their VPN Concentrators?

I know general deployment recommends running parallel to the inside and outside interface of the firewall. Is anyone running their outside VPN interface on a DMZ?

-dl

  • Other Security Subjects
5 REPLIES
New Member

Re: VPN 3005 Placement

Yes, we do it. I think the VPN 3000 doesn`t have DoS protection on itself, so it would be better to protect this interface(VPN3000`s outside I/F) by a firewall. Make sure you don`t get a bottleneck on the firewall.

New Member

Re: VPN 3005 Placement

We run inside the firewall as well. I was concerned that we would take a bit of a performance hit but so far it seems OK.

New Member

Re: VPN 3005 Placement

David,

If 3005 is placed behind a firewall, how would the servers behind 3005 respond to outbound requests?

Steve

New Member

Re: VPN 3005 Placement

Ours usually uses a L3 switch between the servers and the Concentrator/Firewall. Outbound traffic from the servers with destination to a public IP address) goes to the Firewall directly (this traffic will not be encrypted). Outbound traffic from the servers with a destination to the other encryption domain goes to the Concentrator (this traffic will be encrypted).

Regards,

Engel.

New Member

Re: VPN 3005 Placement

A third vote for standard deployment on a DMZ interface of the firewall. Protection from DoS, use a static NAT address so the real IP is hidden also...

134
Views
0
Helpful
5
Replies
This widget could not be displayed.