Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN design

I have read the vpn safe architecture document and have a question about the placement of the vpn concentrator. The document shows the public side in the dirty dmz and the private in a protected dmz with an acl ip permit any at the end.

Why wouldn't you want to put the public interface behind the firewall and private side on the inside of your network. You could then filter traffic from there. Especially, attaching to a Windows type network where NetBIOS and other evils would have to be allowed. Wouldn't it be bad to allow that type of traffic thru the firewall.

Thanks in advance for your help.


New Member

Re: VPN design

Because concentrator public and private interface can not be put into same subnet, if you put concentrator all interfaces behind the firewall, you need another router to taking care of routing.

If you put public in firewall DMZ1, and private in firewall DMZ2, the PIX will take care of this basic routing and security control stuff.

For DMZ1, you only allow UDP port ISAKMP, protocol ESP and AH, for IPSEC traffic.

For DM2, you can set up more control for differente VPN groups depending on the different ip pools. use Access-list, you can control different groups (different source ip address ) to access different resources in your inside network.

If you setup Syslog server for the PIX firewall, you only need one contral control point for your network security.

But if you punch a whole in the PIX and put VPN concentrator behind it, you might need another syslog server for the VPN 3000 as well.

For network design, totally depends on customer's requirement.

We just provide some sorts of suggestions here.

Best Regards,

New Member

Re: VPN design

Thanks for the information, suggestions are exactly what I was looking for. This was a big help.