Solved

VPN Design question

Posted on 2001-06-19
9
296 Views
Last Modified: 2010-04-17
I have a PIX 515 and a 3005 VPN Concentrator.  The PIX has 3 interfaces, one for private (inside), one for public (outside) and a DMZ.  What is the best approach for the concentrator?  Should I put it in the DMZ and then create access-lists or conduits to it?  Is their a recommended approach with this?  If anyone has recently done this and knows which ports to allow etc.  That would be great.
0
Comment
Question by:Silas
9 Comments
 
LVL 4

Accepted Solution

by:
jwalsh88 earned 60 total points
ID: 6208190
Here is how I would do it.

   External Router
         ||
******HUB/Switch******
  ||               ||
  ||               ||
  VPN          PIX Firewall
Concentrator       ||
  ||               ||
******Hub/Switch******
         ||
   Internal Router
         ||
   **Internal Network**

Have the internal Router Route Traffic to External Encryption Domains to the VPN and use the default route for the PIX.
0
 

Author Comment

by:Silas
ID: 6208570
This is an option.  Is there any benefit to hanging the VPN Concentrator off of the DMZ port on the PIX?  Or is that just redundant and complicating things?  One issue is that I do not have an Internal router to work with.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 6208836
Most of the VPN concentrators that I have set up have the public interface connected to a DMZ port on the PIX, and the private interface connected to a LAN switch. use another private IP address range on the DMZ, and create a static NAT map on the PIX
static (DMZ,outside)<public ip> <private ip>
you will need a conduit to allow all ip from DMZ to outside only.

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 4

Expert Comment

by:jwalsh88
ID: 6208890
That was going to be my suggestion if you don't want to use another router.  The only thing is now all the traffic that goes over the VPN goes through the Firewall when it doesn't need to.  That will create overhead and a small amount of latency.  i would really suggest getting rid of the VPN device since it is actually really slow and small as far as number of connections and speed while encrypted compared to the PIX.  I would just use the PIX to terminate the VPN tunnels.  But if you want to use both I would say go with lrmoore's solution.  I would say though if you don't have a routing device between internal network and 2 routers(VPN and firewall) then how do you route VPN traffic to VPN device and all else to firewall.  lrmoore maybe I am just having a brain fart but I am also really tired.
0
 

Author Comment

by:Silas
ID: 6211252
Irmoore: I don't really need to have a static NAT entry for the VPN device do I?  I can simply NAT the private traffic off the other PIX interface and use public addressing on my VPN interface.  Nevertheless, I still need to define some conduits to forward the appropriate traffic to the concentrator.  I'm not sure which ports I need (I want PPTP, IPSec, & L2TP) -but I want to make sure this works correctly.
jwalsh88: you are correct, however, since my VPN device will have a public IP, I am a little reluctant to totally expose it to the Inernet -I would prefer to add a second layer of protection using the PIX and conduits sending only the required traffic to the concentrator.  The question is, do people do this?  And is it a valid config?  Irmoore seems to think it is, but I just want to make sure.
0
 

Author Comment

by:Silas
ID: 6211268
let me try to draw it out:

*****2500 (External router)*******
              ||
         *****PIX******
          ||        ||
       Private    VPN Concentrator
0
 
LVL 4

Expert Comment

by:jwalsh88
ID: 6213785
I am still not sure how you would do what lrmoore suggest.  if you have nothing but layer 2 devices behind the firewall then you would have to set the default route to be the firewall.  Then to get traffic through the VPN concentrator you would have to do some really funny stuff and it would have been a waste because you have now taken more time and used more resources on the firewall then it would have taken to get to just use the firewall to do the VPN.  I am not sure how this would work out, maybe lrmoore knows.  

Also, why would you put the VPN concentrator behind the firewall then give it a public IP address.  I would just use a private and have the firewall translate it to a public one.

I haven't worked much with the concentrators from Cisco so I don't know what security if any there is.  It will be a very secure device except it will be open to things like DoS attacks unless they have something in there for that.  I just don't know enough about what they can do.
0
 
LVL 4

Expert Comment

by:jwalsh88
ID: 6248363
Silas,  made any decisions, i think the best one is easily to not even use the VPN concentrator.  The PIX you have is a better VPN device and it will make things simplier in your network, which is good.  You realize the VPN 3005 can only handle 100 similtaneous connections. thats not very good.  that means if you have alot of users there is going to be delays.  The number on the PIX is much higher.  And you don't have this routing issue.(how to route VPN traffic to the VPN concentrator and the internet traffic to the firewall.  This problem is easily solved with a routing layer3 device in your network but you said you don't have one and don't plan on getting one.
0
 
LVL 3

Expert Comment

by:rcasteel
ID: 6339027
Are you running NAT?  If you are, then the NAt engine may affect the tunnel.  I have just installed a similar situation.  The problems I ran into were not associated with the firewall but the NAT working with the tunnel.  

We put the tunnel on a DMZ so we could quaranteen it incase of a breech.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question