Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN 3500 needs to be front-ended by PIX?

Hi -

I have a VPN3500 and a PIX 515.

I am setting up a new internet connection for VPN only.

Is the VPN3500 hardened enough to live directly connected to my internet feed, or should I install the PIX in front of it for added protection?

Cisco Employee

Re: VPN 3500 needs to be front-ended by PIX?

There are a lot of installations that make use of the vpn3000 directly to their internet isp connection. However, putting a PIX in frot is also going to add further security.

If the firewall is available for you to use, it is best setting up the vpn3000 private on a dmz, and the private on the inside.


Cisco Employee

Re: VPN 3500 needs to be front-ended by PIX?


Having the PIX in front is always recommended, additionally make sure to NOT put the CVPN3000 in parallel to the PIX as thats not a recommended SAFE VPN design, for further information on SAFE designs recommended by Cisco go to the following link:

Hope this helps,

Aamir Waheed,

Cisco Systems, Inc.



Community Member

Re: VPN 3500 needs to be front-ended by PIX?

1 VPN 3000 can be directly put in the internet. The filter on the public interface dropping most of other ip packets and only passing through the VPN traffic.

2 Put the VPN 3000 public interface in PIX dmz interface and private interface to the inside network is another choice. It can more secure control of your network.

3 Most secured design is put VPN 3000 pubilc in PIX dmz1 and private in dmz2. From this way, the PIX can filter the incoming traffic as well as the outgoing VPN traffic as well.

Overall, all three choices are very good design depending customer's different requirements.

Best Regards,

CreatePlease to create content