Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN Design Question


I am implementing a VPN solution with the following design :

External public router with internet connection and some basic access lists, connecting to PIX firewall then to a VPN 3005 concentrator then to private LAN. I am doing NAT on the firewall.

My specific questions would be what ports do I need to allow for the VPN sessions and are there any other considerations to watch out for with this design (Or is there a better solution available?).

  • Other Security Subjects
New Member

Re: VPN Design Question

You need to allow UDP port 500 for ISAKMP traffic and IP ports 50 and 51 for ESP/AH traffic.

I know that this is an ongoing discussion point between the parallel and serial supporters, but in my opinion, I would place the VPN concentrator in parallel with the firewall. The only traffic you allow on the concentrator is IPSec and ISAKMP, which will be allowed by the firewall anyway.

New Member

Re: VPN Design Question

Thanks for your post,

I can see why having the parallel model makes sense - how about placing the pix on the private interface as an extra layer of security once the VPN tunnel is established - would this be overkill or a more secure solution?

This widget could not be displayed.