PIX and VPN Concentrator on same network

[kirby449]

Hi Guys

We have a client who currently has a PIX 515 and a new requirement to have 25 dial-in VPN users.

My question is are we better deploying a VPN Concentrator or can the PIX cope with this. There is also a site-to-site VPN connection terminated at the PIX.

If a concentrator is the best route, where should this be deployed, eg on the inside of the PIX and router?

Also if it goes on the inside of the PIX, what configuration needs to be done on the PIX and does the concentrator need an external address or is a static translation through the PIX the best bet.

Many thanks
kirby449

 

[scottdware]

I would say that what you are doing now can work just fine. But in my experience...a VPN concentrator has better "user-management" functionality, like allowing users to authenticate against an AD domain or RADIUS.

As far as where to deploy the concentrator, there are alot of different view on that depending on who you talk to. I would (personally) place the concentrator in the DMZ, so that there can be some filtering done by traffic going to the concentrator.

You will need an access-list on the PIX to permit the traffic to it (cause by default the pix shut's everything out.) If you use a static ip, or a static translation, it really doesn't matter. Just make sure that you create the appropriate acl's to allow traffic to that IP that you are using.

 

[routerman]

I agree with Waresd, the VPN concentrator is a far better product when connecting VPN clients to your network.

As for the connection my preference is for the VPN concentrator to be on the outside network, and its inside interface to be on the DMZ. This way you can use the firewall to control what inside access the VPN users have.

 

[scottdware]

routerman's idea on where to place it is probably the route that you want to take...more secure that way.

 

[kirby449]

Thanks guys, appreciate your comments

 

[5ascent0]

I just purchased a VPN 3005 and have the same topology as kirby449. My question is if the VPN goes outside our PIX 501, then how do I get the VPN users to use the NT domain authentication. Also, how do I prevent my existing 501 to 501 tunnels from going down since the VPN will now be in the middle?

 

[dopehead]

Just a thought....if you have a pix515, put the outside of it on one interface and the inside on another interface, otherwise your c3000 public interface is "unprotected".

btw, the ezvpn server function in the pix also supports AD user auth, just through a Radius server such as MS IAS server (free product as far as i know)

However as everyone seems to agree on, the c3k products are much more userfriendly and granular in their user control.

Jan

Network Systems Engineer
CCNA/CQS/CCSP

 

[mtashiro]

The concentrator can filter traffic as well so I don't think that putting the inside interface on the DMZ would be nessesary unless you want something like Websense to be used as well.

A concentrator will also support NT authentication natively so you don't need ACS or anything like that.

 

[littlejohnny]

How about XP authentication on a pix515 vs a concentrator?

 

[dopehead]

mtashiro, the concentrator is not built to filter like a pix is. The concentrator is not stateful, so you will have problems with things like streaming through this without having a wide open hole from the vpn clients to your inside.

Also it is just another level of security i think (maybe you disagree

Also you don't need cisco secure acs for NT auth. with the pix, just the MS IAS service running on a member server.

XP Authentication ? same as Windows 2K/2K3, just run an IAS and use it's built-in radius feature to authenticate. Again in larger installs with many different users the c3000 wins that battle easily.

Regards
Jan

Network Systems Engineer
CCNA/CQS/CCSP