You are correct - You would just need a VPN concentrator for VPN access.
FYI - Cisco VPN concentrators are End-of-life at the moment.
It would be a better idea just to get an ASA 5505 instead of the concentrator 3005.
Rate this post, if it helps!
So what if the internal PC needs to access internet, what is the common way to deploy a PIX and a VPN CON?
l would think to put a PIX along side with VPN CON. But I think I read something like putting the VPN CON behind the PIX. I tried the latter but did not get it to work.
Could you please advise?
Most of the time a concentrator and PIX are used in series -
Concentrator on a different segment (DMZ), of the PIX firewall.
So, the concentrator real IP will be an RFC 1918, but it will be NATted via the PIX firewall. One to One - NAT.
Once you have the one to one NAT configured, then you would need to allow the protocols like UDP 500, ESP & NAT-T to go through the firewall so that clients or remote devices can build IPSec sessions.
Or you can just use the PIX firewall to terminate VPN connections instead of the concentrator.
All decisions depend on cost, security, reliability, back-up scenarios, network architecture, etc..
Rate this topic, if it helps
In the webvpn functionality, are using Citrix metraframe apps. If so, it is better to put the concentrator in parallel to the PIX.
Due to IP address getting NATted and the certificates used by Citrix, etc..
There is know document on the website as to how to configure the concentrator and PIX in different scenarios but there is an FAQ for VPN 3000 concentrator.
Rate this post, if it helped!
OK, as said before, l need to access the office using webVPN so l need VPN CON.
So if l configure the 2 devices in parallel as below, from the point of view of security, it should be OK.
internet IP --- PIX ------
internet IP --- VPN CON --
So you are placing the VPN concentrator and the PIX in parallel.
That should not be a problem. Make sure you have the concentrator outside HTTP access blocked for administrative access or just use IP specific access rules to allow HTTP admin access.
Rate this post!!