Re: VPN Concentrator 3005 & PIX 520 Firewall Config Question

dahoover · ‎08-22-2001

Hello,

I am currently running a VPN Concentrator 3005 in parallel with our PIX 520 Firewall. I would however like to increase security buy having the "private" address be part of a DMZ on the PIX 520 and then translate that into an internal IP address pool.

Currently, I have an "outside" internet address and the "private" address goes directly into the internal IP address pool.

So, I guess the question is whether anyone has setup a VPN 3005 Concentrator with a "private" IP address into a PIX Firewall DMZ and then translate into the internal network IP address pool?

Thanks in advance,

Darle

lisa.hall · ‎08-28-2001

The recommended setup is to run the concentrator in Parallel with the Firewall, not off the Firewalls DMZ. With the right combination of Network Static’s from the Inside to the Perimeter and conduits to the concentrator from the outside I would think it’s doable. Has anyone tried this?

tmannard · ‎08-28-2001

We are using a 3030, hopefully this will apply to you as well.

Due to concerns our security department had about running in parallel, we put the public interface into the DMZ (using NAT on Checkpoint FW). We also put the private interface into the DMZ in a separate subnet. Works great.

tszabo · ‎08-31-2001

Can anyone point me to some documentation on how to do this exactly, I'm not finding anything. It doesn't help that I'm good with the concentrator's and not so good with the PIX. TIA.

dahoover · ‎09-12-2001

Hello,

I believe this sounds exactly like what I am after. Did you get your examples for setting this up from Cisco or on your own? I am uncertain about how to get the public DMZ interface translated into the internal address pool.

If you have any examples you could send my way or a URL that might be helpful, I would greatly appreciate it!

Thanks for responding to my question!

Darle Hoover

dhoover@brylane.com