I'm implementing a VPN 3005 and I have a pix. Where would I place the VPN 3005 in regards to the PIX? VPN 3005: external int public and internal int private? external int to pix dmz and internal to private ? or both to dmz ports on the pix? Any suggestions is appreciated. Thanks.
I generally place the 3005 in parallel with the firewall. External int of 3005 on same network as external interface of firewall. Internet int on same network as internet int of firewall.
This allows you to operate the VPN even in the event of a PIX failure. For the more paranoid, placing the 3005 on a DMZ interface off the PIX is nice, as long as you have a routable subnet there...
It's really a metter of preference I'd say. If you place the 3005 in parallel, you can do some hardening on the internet router via an access-list to help protect the 3005 from port scans and eventual attacks.
Just a note of agreement. Parallel is the way to go. I ave been running that for about 6 months with no major problems although I am graduating to the 515r from a 506 and will place the 506 in front of the concentrator now.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...