Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN3005 to Cisco VPN clients

Status
Not open for further replies.
hoinvip

hoinvip

MIS
Nov 16, 2001
156
0
0
GB
I wonder if someone could offer me some advice...

We're looking at putting a Cisco VPN3005 concentrator on our network to allow remote access to mobile / home workers.

We have a Cisco PIX acting as the perimeter device at the moment.... Can you please advise where we should site the VPN3005? In front, in parallel or behind the firewall?

MAny thanks in advance,

HoinviP
 
Sort by date Sort by votes
Hi,

you must the 3005 parallel behind your PIX.
Set the public interface of the VPN Concentrator into the perimeter network and the private interface on the inside interface of the PIX

You only have to permit access esp, isakmp/udp (it depends on your tunnel) to the public interface IP-adress.


Good luck,

Andreas
 
Upvote 0 Downvote
Thanks for the advice. If I understand you correctly, you are saying that the PIX outside ethernet still connects to our DSL router with the VPN3005 behind that? I assume all our internal devices go behind the VPN3005?

Should our mail server be behind the VPN3005 or connected to the PIX as well? Thanks,

HoinviP
 
Upvote 0 Downvote
Well actually you can place it in parallel to the PIX or behind the PIX. If you place it behind the PIX then you would need to open UDP ports 500 and 4500 as well as ip protocol 50 (ESP).
In parallel means the public interface resides on the same subnet as the pix's outside interface and the DSL router so they all should be connected to a switch. The private interface should be connected to the LAN switch.

If you have a DMZ then other options are:

- To place the public interface on the outside subnet and the pirvate interface on the DMZ, this would be more secure since VPN users would need to pass the policy aplied to the DMZ in order to access internal devices.
- To place the public interface on the DMZ and the private interface on the internal network

Hope it helps!
 
Upvote 0 Downvote
Thanks for this.

We don't have a DMZ - the firewall is a PIX501 and we were thinking about putting the VPN3005 in alongside the PIX.

That way we figured we could have all outbound traffic and only inbound SMTP via the PIX and inbound user connections via the VPN3005. Does this make sense?

Are there any issues I need to consider with this?

TIA,

HoinviP
 
Upvote 0 Downvote
Having reviewed this some more, it would appear that the general advice is to run in parallel with the firewall.

I'm assuming that we set the internal devices to use the PIX for all outbound traffic (web browsing, DNS, SMTP etc..) and remote users come in via the Concentrator to access internal services.

Do we need to consider any routing issues with this approach?

TIA,

HoinviP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

teknance
  • Question
Discovering Portugal: Uncover Hidden Destinations and VPN Solutions
Replies
5
Views
305
GlobeTrekkerGal
GlobeTrekkerGal
MP2023
  • Locked
  • Question
How to Create an site to site VPN
Replies
1
Views
169
sircles
sircles
sarahz2
  • Question
Best vpn safe and fast
Replies
4
Views
196
GlobeTrekkerGal
GlobeTrekkerGal
ramblingrebel
  • Locked
  • Question
Built-in Windows 10 VPN
Replies
1
Views
125
Joon Smith
Joon Smith
F
  • Question
some IP Phone not working over site-to-site OpenVPN, packets modified on other side of tunnel
Replies
0
Views
1K
FrankSider12
F

Part and Inventory Search

Sponsor

Back
Top