Where do I place the VPN 3000 Concentrator in regard to my network firewall
While the answer under the FAQ is:
The VPN 3000 Concentrator can be placed in front of, behind, parallel to, or in the demilitarized zone (DMZ) of a firewall. It is not advisable to have the public and private interfaces in the same virtual LAN (VLAN).
What does the "It is not advisable to have the public and private interfaces in the same virtual LAN (VLAN)." means?
I am setting up a LAN-to-LAN IPsec VPN VPN Concentrator 3005 for a client and they are conern that if we put the device in front of the firewall, malicious people could get to their LAN via the Concentrator's public interface.
Re: Where do I place the VPN 3000 Concentrator in regard to my n
There are generally 2 ways i have seen VPN concentrators deployed.
1) Public interface on one DMZ behind the firewall. Private interface on another DMZ behind firewall. To get to the public interface you have to pass through the firewall.
2) Public interface parallel with firewall ie. publci interface is usually assigned an IP addresss out of the same subnet as the outside interface of the firewall. Private interface connected to DMZ hanging off the firewall.
I would not want to have the private interface connecting straight into the LAN, rather in both 1 & 2 it should be connected to a DMZ.
With option 1 you can add a rule on your firewall only allow the relevant IPSEC ports to the public interface of your concentrator. However sometimes the firewall can be more of a hindrance than a help especially if you are using a lot of NAT
With option 2 you need to make sure that only the IPSEC protocols are accepted on the public interface. No problems with NAT at your end. If you happen to have control over your border router upstream of the firewall then you can add an access-list rule to only allow IPSEC ports to the public interface of your concentrator.
Either way is acceptable, the key thing being that common to both is the need to have the private interface on a DMZ.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...