Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN - to PIX or Router or Both


I am going through setting up VPNs. I have a security question thou. I have a 3660 and PIX. The 3660 is my outside router which is connected to the outside interface.

I NAT from the instead to another range between the PIX and 3660 and then NAT again from the 3660 to internet addresses.

I have this question - which is better to let the PIX outside interface have a internet IP therefore allowing VPN connection to the PIX or getting VPNs to connect to the 3660?

Is there a way to connect to the 3660 then pass it through to the PIX for auth ??

Which is the higher security risk? Would it be better to have a VPN accellorator in either and which one has the better VPN security with these cards. The PIX is a 520.

Thanks for any pointers



Re: VPN - to PIX or Router or Both


I would suggest to bring the PIX outside interface onto the reachable public network so that your vpn can be established without any probs.

Do block unecessary ports in 3660 router allowing only the protocols and ports required to esablish the vpn connectivity.

PIX by default takes care of the security part so keep the settings intact.The only addition will be the new VPN Config and the changes in the outside interface which you need to bring out so that it can be reachable from your remote peers.


New Member

Re: VPN - to PIX or Router or Both

Thanks for this - so would it be a good idea to get a VAC+ or/and AIM-VPN/HPII for the 3660 ?

I have been reading that the PIX 7 is supporior to the PIX6.3 and that if I had a choice between 6.3 and a router it probably should be a router ??? Is this true ?

Just want to make it as secure as possible.



CreatePlease to create content