Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
827
Views
0
Helpful
2
Replies

Where do I place the VPN 3000 Concentrator in regard to my network firewall

Levittadmin
Level 1
Level 1

‎11-15-2007 09:23 AM - edited ‎02-21-2020 03:23 PM

While the answer under the FAQ is:

The VPN 3000 Concentrator can be placed in front of, behind, parallel to, or in the demilitarized zone (DMZ) of a firewall. It is not advisable to have the public and private interfaces in the same virtual LAN (VLAN).

What does the "It is not advisable to have the public and private interfaces in the same virtual LAN (VLAN)." means?

I am setting up a LAN-to-LAN IPsec VPN VPN Concentrator 3005 for a client and they are conern that if we put the device in front of the firewall, malicious people could get to their LAN via the Concentrator's public interface.

Is this the case?

Thanks,

David

Labels:
0 Helpful
2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

‎11-15-2007 10:24 AM

Hi David

There are generally 2 ways i have seen VPN concentrators deployed.

1) Public interface on one DMZ behind the firewall. Private interface on another DMZ behind firewall. To get to the public interface you have to pass through the firewall.

2) Public interface parallel with firewall ie. publci interface is usually assigned an IP addresss out of the same subnet as the outside interface of the firewall. Private interface connected to DMZ hanging off the firewall.

I would not want to have the private interface connecting straight into the LAN, rather in both 1 & 2 it should be connected to a DMZ.

With option 1 you can add a rule on your firewall only allow the relevant IPSEC ports to the public interface of your concentrator. However sometimes the firewall can be more of a hindrance than a help especially if you are using a lot of NAT

With option 2 you need to make sure that only the IPSEC protocols are accepted on the public interface. No problems with NAT at your end. If you happen to have control over your border router upstream of the firewall then you can add an access-list rule to only allow IPSEC ports to the public interface of your concentrator.

Either way is acceptable, the key thing being that common to both is the need to have the private interface on a DMZ.

HTH

Jon

0 Helpful

Levittadmin
Level 1
Level 1
In response to Jon Marshall

‎11-15-2007 10:58 AM

Thank you

0 Helpful
Customers Also Viewed These Support Documents