Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN Design Question

We have a vendor who wants to setup a VPN 3005 to our Network. And I have never had the opportunity to set up a VPN. They request we plug directly into our LAN and to trust them. I do not feel comfortable with this plan. We have a PIX 510 Ver 5.1(2) and we NAT our private network to a class C public address. We do not restrict outbound traffic and only currently have two statics to permit inboud communications from the Internet. All the Cisco research I have found does not show the configuration I thought would work best. Is it possible to use a hub off of the dmz card of the pix and to have both the private and public ethernet ports of the 3005 plugged into the hub. This would keep the public and private ports protected and it would work through the PIX. Is this possible and what would I need to configure on the PIX to make it work?

3 REPLIES
Bronze

Re: VPN Design Question

Hi awiseley,

VPn really depends on your topology. First of all, what are you going to protect using the VPN connection? Your private LAN to to what ?

you can put the public interface of the concentrator behind the dmz interface of the pix firewall, but you have to connect the private interface of the concentrator towards the subnet which you want to protect using IPSec. Also, the private and public interfaces on the concentrators need to be in unique subnets

Hope that helps

Jazib

Community Member

Re: VPN Design Question

We are a company with a WAN consisting of (5) main sites and each site has (1) to (5) remote sites. The core routers are all connected with redundant links. All of those facilities access the Internet through our Coporate Internet connection. It is my responisbility to protect the coporate local LAN and all of the other facilities against improper access. Only (1) of the sites will need to access the VPN. Their communications will have to go through two routers and the PIX box to reach the DMZ and then out the Internet to establish the IPSec tunnel.

I understand about the public interface but, if my network is 10.0.0.0 /8 can't the public be 10.1.1.1 and the private be 10.2.1.1 and still plug into the hub? The data that would be going over the IPSec tunnel would be private data.

Bronze

Re: VPN Design Question

You cannot have 10.1.1.1/8 and 10.2.1.1/8 on the oublic and private interfaces on the concentrator. You can however, have 10.1.1.1/16 and 10.2.1.1/16 on the 2 interfaces

Hope that helps

Jazib

78
Views
0
Helpful
3
Replies
CreatePlease to create content