Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Where to place a Concentrator on the Network?

We are thinking of putting our Concentrator on our DMZ (on a Pix) so we can block ports and basically use the firewall rules. Is the the usual place to put one?

5 REPLIES
New Member

Re: Where to place a Concentrator on the Network?

The position of both public and private interfaces is debatable. I have implimented a number for different customers and installed both with the outside interface directly on the outside of the firewall and in a DMZ, also with the inside interface on the inside of the network or in a dmz. This has mainly been dependent on the customers attitude to security and a number of other things such as possible loading on the firewall or large number of rule changes needed.

As the concentrator outside interface is hardened there is not a problem placing it on the outside of the firewall. Like wise as you can control policy to a degree on the concentrator, placing the inside interface directly on the inside of the network shouldnt be a problem either (unless you possibly want to restrict access based on differing IP pools.

So in short there is no right or wrong way, I wasnt sure from your initial question if it was your inside or outside interface of the concentrator that you was placing in the firewall dmz.

New Member

Re: Where to place a Concentrator on the Network?

Thanks for the reply, currently our public port is placed on the outside and the private is placed into the inside LAN switch. Just not sure if this is ok or not. It all was fine, but not sure about security? What is the External port for?

New Member

Re: Where to place a Concentrator on the Network?

Sorry for the delay, just seen your additional question. The external port can be used to setup Extranet access to say a 3rd party, ie. can be used as an additional public interface.

New Member

Re: Where to place a Concentrator on the Network?

Our implementation has the outside interface on the internet and the inside interface on the LAN. However, we recently performed a security scan on our outside networks and found that the concentrator is adminstrativly available from the outside. We are not sure if this is on by default or what configuration change caused this. Our rule in the outside filter states that HTTP and HTTPs are not allowed. Do any of you have any ideas how I can kill this service to the outside?

New Member

Re: Where to place a Concentrator on the Network?

In the Interface configuration go to the WebVPN tab and uncheck "Allow Management HPPS sessions" on your public interface. hth

141
Views
5
Helpful
5
Replies
CreatePlease to create content