Re: VPN 3005 Placement

david · ‎09-11-2002

I would like to some feedback on where everyone is placing their VPN Concentrators?

I know general deployment recommends running parallel to the inside and outside interface of the firewall. Is anyone running their outside VPN interface on a DMZ?

-dl

engel · ‎09-11-2002

Yes, we do it. I think the VPN 3000 doesn`t have DoS protection on itself, so it would be better to protect this interface(VPN3000`s outside I/F) by a firewall. Make sure you don`t get a bottleneck on the firewall.

dcwalker · ‎09-15-2002

We run inside the firewall as well. I was concerned that we would take a bit of a performance hit but so far it seems OK.

spham68 · ‎09-24-2002

David,

If 3005 is placed behind a firewall, how would the servers behind 3005 respond to outbound requests?

Steve

engel · ‎09-25-2002

Ours usually uses a L3 switch between the servers and the Concentrator/Firewall. Outbound traffic from the servers with destination to a public IP address) goes to the Firewall directly (this traffic will not be encrypted). Outbound traffic from the servers with a destination to the other encryption domain goes to the Concentrator (this traffic will be encrypted).

Regards,

Engel.

lr.moore · ‎09-16-2002

A third vote for standard deployment on a DMZ interface of the firewall. Protection from DoS, use a static NAT address so the real IP is hidden also...