I have read the vpn safe architecture document and have a question about the placement of the vpn concentrator. The document shows the public side in the dirty dmz and the private in a protected dmz with an acl ip permit any at the end.
Why wouldn't you want to put the public interface behind the firewall and private side on the inside of your network. You could then filter traffic from there. Especially, attaching to a Windows type network where NetBIOS and other evils would have to be allowed. Wouldn't it be bad to allow that type of traffic thru the firewall.
Because concentrator public and private interface can not be put into same subnet, if you put concentrator all interfaces behind the firewall, you need another router to taking care of routing.
If you put public in firewall DMZ1, and private in firewall DMZ2, the PIX will take care of this basic routing and security control stuff.
For DMZ1, you only allow UDP port ISAKMP, protocol ESP and AH, for IPSEC traffic.
For DM2, you can set up more control for differente VPN groups depending on the different ip pools. use Access-list, you can control different groups (different source ip address ) to access different resources in your inside network.
If you setup Syslog server for the PIX firewall, you only need one contral control point for your network security.
But if you punch a whole in the PIX and put VPN concentrator behind it, you might need another syslog server for the VPN 3000 as well.
For network design, totally depends on customer's requirement.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...