• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 304
  • Last Modified:

VPN Design question

I have a PIX 515 and a 3005 VPN Concentrator.  The PIX has 3 interfaces, one for private (inside), one for public (outside) and a DMZ.  What is the best approach for the concentrator?  Should I put it in the DMZ and then create access-lists or conduits to it?  Is their a recommended approach with this?  If anyone has recently done this and knows which ports to allow etc.  That would be great.
0
Silas
Asked:
Silas
1 Solution
 
jwalsh88Commented:
Here is how I would do it.

   External Router
         ||
******HUB/Switch******
  ||               ||
  ||               ||
  VPN          PIX Firewall
Concentrator       ||
  ||               ||
******Hub/Switch******
         ||
   Internal Router
         ||
   **Internal Network**

Have the internal Router Route Traffic to External Encryption Domains to the VPN and use the default route for the PIX.
0
 
SilasAuthor Commented:
This is an option.  Is there any benefit to hanging the VPN Concentrator off of the DMZ port on the PIX?  Or is that just redundant and complicating things?  One issue is that I do not have an Internal router to work with.
0
 
lrmooreCommented:
Most of the VPN concentrators that I have set up have the public interface connected to a DMZ port on the PIX, and the private interface connected to a LAN switch. use another private IP address range on the DMZ, and create a static NAT map on the PIX
static (DMZ,outside)<public ip> <private ip>
you will need a conduit to allow all ip from DMZ to outside only.

0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

 
jwalsh88Commented:
That was going to be my suggestion if you don't want to use another router.  The only thing is now all the traffic that goes over the VPN goes through the Firewall when it doesn't need to.  That will create overhead and a small amount of latency.  i would really suggest getting rid of the VPN device since it is actually really slow and small as far as number of connections and speed while encrypted compared to the PIX.  I would just use the PIX to terminate the VPN tunnels.  But if you want to use both I would say go with lrmoore's solution.  I would say though if you don't have a routing device between internal network and 2 routers(VPN and firewall) then how do you route VPN traffic to VPN device and all else to firewall.  lrmoore maybe I am just having a brain fart but I am also really tired.
0
 
SilasAuthor Commented:
Irmoore: I don't really need to have a static NAT entry for the VPN device do I?  I can simply NAT the private traffic off the other PIX interface and use public addressing on my VPN interface.  Nevertheless, I still need to define some conduits to forward the appropriate traffic to the concentrator.  I'm not sure which ports I need (I want PPTP, IPSec, & L2TP) -but I want to make sure this works correctly.
jwalsh88: you are correct, however, since my VPN device will have a public IP, I am a little reluctant to totally expose it to the Inernet -I would prefer to add a second layer of protection using the PIX and conduits sending only the required traffic to the concentrator.  The question is, do people do this?  And is it a valid config?  Irmoore seems to think it is, but I just want to make sure.
0
 
SilasAuthor Commented:
let me try to draw it out:

*****2500 (External router)*******
              ||
         *****PIX******
          ||        ||
       Private    VPN Concentrator
0
 
jwalsh88Commented:
I am still not sure how you would do what lrmoore suggest.  if you have nothing but layer 2 devices behind the firewall then you would have to set the default route to be the firewall.  Then to get traffic through the VPN concentrator you would have to do some really funny stuff and it would have been a waste because you have now taken more time and used more resources on the firewall then it would have taken to get to just use the firewall to do the VPN.  I am not sure how this would work out, maybe lrmoore knows.  

Also, why would you put the VPN concentrator behind the firewall then give it a public IP address.  I would just use a private and have the firewall translate it to a public one.

I haven't worked much with the concentrators from Cisco so I don't know what security if any there is.  It will be a very secure device except it will be open to things like DoS attacks unless they have something in there for that.  I just don't know enough about what they can do.
0
 
jwalsh88Commented:
Silas,  made any decisions, i think the best one is easily to not even use the VPN concentrator.  The PIX you have is a better VPN device and it will make things simplier in your network, which is good.  You realize the VPN 3005 can only handle 100 similtaneous connections. thats not very good.  that means if you have alot of users there is going to be delays.  The number on the PIX is much higher.  And you don't have this routing issue.(how to route VPN traffic to the VPN concentrator and the internet traffic to the firewall.  This problem is easily solved with a routing layer3 device in your network but you said you don't have one and don't plan on getting one.
0
 
rcasteelCommented:
Are you running NAT?  If you are, then the NAt engine may affect the tunnel.  I have just installed a similar situation.  The problems I ran into were not associated with the firewall but the NAT working with the tunnel.  

We put the tunnel on a DMZ so we could quaranteen it incase of a breech.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now