The position of both public and private interfaces is debatable. I have implimented a number for different customers and installed both with the outside interface directly on the outside of the firewall and in a DMZ, also with the inside interface on the inside of the network or in a dmz. This has mainly been dependent on the customers attitude to security and a number of other things such as possible loading on the firewall or large number of rule changes needed.
As the concentrator outside interface is hardened there is not a problem placing it on the outside of the firewall. Like wise as you can control policy to a degree on the concentrator, placing the inside interface directly on the inside of the network shouldnt be a problem either (unless you possibly want to restrict access based on differing IP pools.
So in short there is no right or wrong way, I wasnt sure from your initial question if it was your inside or outside interface of the concentrator that you was placing in the firewall dmz.
Thanks for the reply, currently our public port is placed on the outside and the private is placed into the inside LAN switch. Just not sure if this is ok or not. It all was fine, but not sure about security? What is the External port for?
Our implementation has the outside interface on the internet and the inside interface on the LAN. However, we recently performed a security scan on our outside networks and found that the concentrator is adminstrativly available from the outside. We are not sure if this is on by default or what configuration change caused this. Our rule in the outside filter states that HTTP and HTTPs are not allowed. Do any of you have any ideas how I can kill this service to the outside?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :