Solved

VPN Design question

Posted on 2001-06-19
9
294 Views
Last Modified: 2010-04-17
I have a PIX 515 and a 3005 VPN Concentrator.  The PIX has 3 interfaces, one for private (inside), one for public (outside) and a DMZ.  What is the best approach for the concentrator?  Should I put it in the DMZ and then create access-lists or conduits to it?  Is their a recommended approach with this?  If anyone has recently done this and knows which ports to allow etc.  That would be great.
0
Comment
Question by:Silas
9 Comments
 
LVL 4

Accepted Solution

by:
jwalsh88 earned 60 total points
ID: 6208190
Here is how I would do it.

   External Router
         ||
******HUB/Switch******
  ||               ||
  ||               ||
  VPN          PIX Firewall
Concentrator       ||
  ||               ||
******Hub/Switch******
         ||
   Internal Router
         ||
   **Internal Network**

Have the internal Router Route Traffic to External Encryption Domains to the VPN and use the default route for the PIX.
0
 

Author Comment

by:Silas
ID: 6208570
This is an option.  Is there any benefit to hanging the VPN Concentrator off of the DMZ port on the PIX?  Or is that just redundant and complicating things?  One issue is that I do not have an Internal router to work with.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 6208836
Most of the VPN concentrators that I have set up have the public interface connected to a DMZ port on the PIX, and the private interface connected to a LAN switch. use another private IP address range on the DMZ, and create a static NAT map on the PIX
static (DMZ,outside)<public ip> <private ip>
you will need a conduit to allow all ip from DMZ to outside only.

0
 
LVL 4

Expert Comment

by:jwalsh88
ID: 6208890
That was going to be my suggestion if you don't want to use another router.  The only thing is now all the traffic that goes over the VPN goes through the Firewall when it doesn't need to.  That will create overhead and a small amount of latency.  i would really suggest getting rid of the VPN device since it is actually really slow and small as far as number of connections and speed while encrypted compared to the PIX.  I would just use the PIX to terminate the VPN tunnels.  But if you want to use both I would say go with lrmoore's solution.  I would say though if you don't have a routing device between internal network and 2 routers(VPN and firewall) then how do you route VPN traffic to VPN device and all else to firewall.  lrmoore maybe I am just having a brain fart but I am also really tired.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:Silas
ID: 6211252
Irmoore: I don't really need to have a static NAT entry for the VPN device do I?  I can simply NAT the private traffic off the other PIX interface and use public addressing on my VPN interface.  Nevertheless, I still need to define some conduits to forward the appropriate traffic to the concentrator.  I'm not sure which ports I need (I want PPTP, IPSec, & L2TP) -but I want to make sure this works correctly.
jwalsh88: you are correct, however, since my VPN device will have a public IP, I am a little reluctant to totally expose it to the Inernet -I would prefer to add a second layer of protection using the PIX and conduits sending only the required traffic to the concentrator.  The question is, do people do this?  And is it a valid config?  Irmoore seems to think it is, but I just want to make sure.
0
 

Author Comment

by:Silas
ID: 6211268
let me try to draw it out:

*****2500 (External router)*******
              ||
         *****PIX******
          ||        ||
       Private    VPN Concentrator
0
 
LVL 4

Expert Comment

by:jwalsh88
ID: 6213785
I am still not sure how you would do what lrmoore suggest.  if you have nothing but layer 2 devices behind the firewall then you would have to set the default route to be the firewall.  Then to get traffic through the VPN concentrator you would have to do some really funny stuff and it would have been a waste because you have now taken more time and used more resources on the firewall then it would have taken to get to just use the firewall to do the VPN.  I am not sure how this would work out, maybe lrmoore knows.  

Also, why would you put the VPN concentrator behind the firewall then give it a public IP address.  I would just use a private and have the firewall translate it to a public one.

I haven't worked much with the concentrators from Cisco so I don't know what security if any there is.  It will be a very secure device except it will be open to things like DoS attacks unless they have something in there for that.  I just don't know enough about what they can do.
0
 
LVL 4

Expert Comment

by:jwalsh88
ID: 6248363
Silas,  made any decisions, i think the best one is easily to not even use the VPN concentrator.  The PIX you have is a better VPN device and it will make things simplier in your network, which is good.  You realize the VPN 3005 can only handle 100 similtaneous connections. thats not very good.  that means if you have alot of users there is going to be delays.  The number on the PIX is much higher.  And you don't have this routing issue.(how to route VPN traffic to the VPN concentrator and the internet traffic to the firewall.  This problem is easily solved with a routing layer3 device in your network but you said you don't have one and don't plan on getting one.
0
 
LVL 3

Expert Comment

by:rcasteel
ID: 6339027
Are you running NAT?  If you are, then the NAt engine may affect the tunnel.  I have just installed a similar situation.  The problems I ran into were not associated with the firewall but the NAT working with the tunnel.  

We put the tunnel on a DMZ so we could quaranteen it incase of a breech.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
recover cisco router password 5 48
Eigrp Router 5 67
2 routers, one cable modem 10 86
Viber-Only Restriction 6 24
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now