VPN 3500 needs to be front-ended by PIX?

phoffswell · ‎07-22-2002

Hi -

I have a VPN3500 and a PIX 515.

I am setting up a new internet connection for VPN only.

Is the VPN3500 hardened enough to live directly connected to my internet feed, or should I install the PIX in front of it for added protection?

edadios · ‎07-22-2002

There are a lot of installations that make use of the vpn3000 directly to their internet isp connection. However, putting a PIX in frot is also going to add further security.

If the firewall is available for you to use, it is best setting up the vpn3000 private on a dmz, and the private on the inside.

Regards,

awaheed · ‎07-22-2002

Hi,

Having the PIX in front is always recommended, additionally make sure to NOT put the CVPN3000 in parallel to the PIX as thats not a recommended SAFE VPN design, for further information on SAFE designs recommended by Cisco go to the following link: http://www.cisco.com/offer/tdm_home/vpn/learn.shtml

Hope this helps,

Aamir Waheed,

Cisco Systems, Inc.

CCIE#8933

-=-=-

paqiu · ‎07-22-2002

1 VPN 3000 can be directly put in the internet. The filter on the public interface dropping most of other ip packets and only passing through the VPN traffic.

2 Put the VPN 3000 public interface in PIX dmz interface and private interface to the inside network is another choice. It can more secure control of your network.

3 Most secured design is put VPN 3000 pubilc in PIX dmz1 and private in dmz2. From this way, the PIX can filter the incoming traffic as well as the outgoing VPN traffic as well.

Overall, all three choices are very good design depending customer's different requirements.

Best Regards,