Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
298
Views
0
Helpful
3
Replies

VPN Design Question

awiseley
Level 1
Level 1

‎12-19-2002 08:59 AM - edited ‎02-21-2020 12:14 PM

We have a vendor who wants to setup a VPN 3005 to our Network. And I have never had the opportunity to set up a VPN. They request we plug directly into our LAN and to trust them. I do not feel comfortable with this plan. We have a PIX 510 Ver 5.1(2) and we NAT our private network to a class C public address. We do not restrict outbound traffic and only currently have two statics to permit inboud communications from the Internet. All the Cisco research I have found does not show the configuration I thought would work best. Is it possible to use a hub off of the dmz card of the pix and to have both the private and public ethernet ports of the 3005 plugged into the hub. This would keep the public and private ports protected and it would work through the PIX. Is this possible and what would I need to configure on the PIX to make it work?

Labels:
0 Helpful
3 Replies 3

jfrahim
Level 5
Level 5

‎12-19-2002 10:28 AM

Hi awiseley,

VPn really depends on your topology. First of all, what are you going to protect using the VPN connection? Your private LAN to to what ?

you can put the public interface of the concentrator behind the dmz interface of the pix firewall, but you have to connect the private interface of the concentrator towards the subnet which you want to protect using IPSec. Also, the private and public interfaces on the concentrators need to be in unique subnets

Hope that helps

Jazib

0 Helpful

awiseley
Level 1
Level 1
In response to jfrahim

‎12-19-2002 02:00 PM

We are a company with a WAN consisting of (5) main sites and each site has (1) to (5) remote sites. The core routers are all connected with redundant links. All of those facilities access the Internet through our Coporate Internet connection. It is my responisbility to protect the coporate local LAN and all of the other facilities against improper access. Only (1) of the sites will need to access the VPN. Their communications will have to go through two routers and the PIX box to reach the DMZ and then out the Internet to establish the IPSec tunnel.

I understand about the public interface but, if my network is 10.0.0.0 /8 can't the public be 10.1.1.1 and the private be 10.2.1.1 and still plug into the hub? The data that would be going over the IPSec tunnel would be private data.

0 Helpful

jfrahim
Level 5
Level 5
In response to awiseley

‎12-23-2002 11:09 AM

You cannot have 10.1.1.1/8 and 10.2.1.1/8 on the oublic and private interfaces on the concentrator. You can however, have 10.1.1.1/16 and 10.2.1.1/16 on the 2 interfaces

Hope that helps

Jazib

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents