Cisco Support Community
Community Member

Where should a IPSec device go?

The solution is for a customer that will have security concerns. Should it be put in the DMZ or in the network. If in the DMZ, all ports that will be used between our servers and their clients will need to be allowed by the customer's firewall. If in side the network, we only need to allow ports 50 and 500 but then if the device is compromised the customer's network is infiltrated. What dilemma?

Any ideas?



Re: Where should a IPSec device go?

Which IPsec device are you talking about? The PIX is a firewall and VPN solution in one. The routers can be the same. The VPN 3000 & 5000 series go in parallel with a firewall solution. Yes, you can drop one behind the firewall and yes, you’ll have to open the ports for this. If the device has potential to be compromised, you might want to look at a different VPN device or firewall solution. I suggest having a design tech look at your situation.

Community Member

Re: Where should a IPSec device go?

Thanks for the reply,

The device would probably be a router using one interface.

What are the risks of using a 3000 concentrator? Does it not have to be as secure as the firewall itself if running in parallel?

Are there any advantages with the 7100 instead?

Community Member

Re: Where should a IPSec device go?

LAN-to-LAN on 3000 are not as stable as using routers. In my opinion, it would be more secure if it sits behing the firewall, though it can be implemented either way.

7100 does not do WINS and DNS push to remote clients cf 3000/5000 concentrators.

CreatePlease to create content