cisco 3000 concentrator

[smohda]

hello,

I have a pix 520 -3 interface firewall. my company wants to
implement a cisco 3005 concentrator for vpn.
I will appreciate any suggestion regarding the placement of the concentrator (inside or DMZ or outside bypassing the firewall).

thanks,

 

[yizhar]

HI.

The concentrator should be placed behind the FW to protect it from attacks.
So, the public interface will probably be connected to DMZ.

You can work with only one interface - unencrypted traffic will go back from the same public interface via the pix. That way you have control over unencrypted traffic at the pix as well.

You can work with 2 interfaces - public connected to DMZ, and private connected to private. But you will need to provide routing for internal hosts because their default gateway is probably the pix.

The best option as far as I think, is to upgrade the pix to 6 interfaces, then 2 interfaces will be dedicated to the VPN box. This of course will cost some.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[smohda]

hello,

thanks for your suggestion Yizhar.

A.S

 

[byteya]

Not that I disagree with Yizhar, but if you don't have the additional ports on the firewall you may want to try putting it on the outside of the firewall.
With the 300x concentrators you can disable telnet & http access from the outside interface so it can only be configured from the inside interface. You can still ping it, but that's about it. *J*