Solved

VPN Design question

Posted on 2001-06-19
9
293 Views
Last Modified: 2010-04-17
I have a PIX 515 and a 3005 VPN Concentrator.  The PIX has 3 interfaces, one for private (inside), one for public (outside) and a DMZ.  What is the best approach for the concentrator?  Should I put it in the DMZ and then create access-lists or conduits to it?  Is their a recommended approach with this?  If anyone has recently done this and knows which ports to allow etc.  That would be great.
0
Comment
Question by:Silas
9 Comments
 
LVL 4

Accepted Solution

by:
jwalsh88 earned 60 total points
Comment Utility
Here is how I would do it.

   External Router
         ||
******HUB/Switch******
  ||               ||
  ||               ||
  VPN          PIX Firewall
Concentrator       ||
  ||               ||
******Hub/Switch******
         ||
   Internal Router
         ||
   **Internal Network**

Have the internal Router Route Traffic to External Encryption Domains to the VPN and use the default route for the PIX.
0
 

Author Comment

by:Silas
Comment Utility
This is an option.  Is there any benefit to hanging the VPN Concentrator off of the DMZ port on the PIX?  Or is that just redundant and complicating things?  One issue is that I do not have an Internal router to work with.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Most of the VPN concentrators that I have set up have the public interface connected to a DMZ port on the PIX, and the private interface connected to a LAN switch. use another private IP address range on the DMZ, and create a static NAT map on the PIX
static (DMZ,outside)<public ip> <private ip>
you will need a conduit to allow all ip from DMZ to outside only.

0
 
LVL 4

Expert Comment

by:jwalsh88
Comment Utility
That was going to be my suggestion if you don't want to use another router.  The only thing is now all the traffic that goes over the VPN goes through the Firewall when it doesn't need to.  That will create overhead and a small amount of latency.  i would really suggest getting rid of the VPN device since it is actually really slow and small as far as number of connections and speed while encrypted compared to the PIX.  I would just use the PIX to terminate the VPN tunnels.  But if you want to use both I would say go with lrmoore's solution.  I would say though if you don't have a routing device between internal network and 2 routers(VPN and firewall) then how do you route VPN traffic to VPN device and all else to firewall.  lrmoore maybe I am just having a brain fart but I am also really tired.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:Silas
Comment Utility
Irmoore: I don't really need to have a static NAT entry for the VPN device do I?  I can simply NAT the private traffic off the other PIX interface and use public addressing on my VPN interface.  Nevertheless, I still need to define some conduits to forward the appropriate traffic to the concentrator.  I'm not sure which ports I need (I want PPTP, IPSec, & L2TP) -but I want to make sure this works correctly.
jwalsh88: you are correct, however, since my VPN device will have a public IP, I am a little reluctant to totally expose it to the Inernet -I would prefer to add a second layer of protection using the PIX and conduits sending only the required traffic to the concentrator.  The question is, do people do this?  And is it a valid config?  Irmoore seems to think it is, but I just want to make sure.
0
 

Author Comment

by:Silas
Comment Utility
let me try to draw it out:

*****2500 (External router)*******
              ||
         *****PIX******
          ||        ||
       Private    VPN Concentrator
0
 
LVL 4

Expert Comment

by:jwalsh88
Comment Utility
I am still not sure how you would do what lrmoore suggest.  if you have nothing but layer 2 devices behind the firewall then you would have to set the default route to be the firewall.  Then to get traffic through the VPN concentrator you would have to do some really funny stuff and it would have been a waste because you have now taken more time and used more resources on the firewall then it would have taken to get to just use the firewall to do the VPN.  I am not sure how this would work out, maybe lrmoore knows.  

Also, why would you put the VPN concentrator behind the firewall then give it a public IP address.  I would just use a private and have the firewall translate it to a public one.

I haven't worked much with the concentrators from Cisco so I don't know what security if any there is.  It will be a very secure device except it will be open to things like DoS attacks unless they have something in there for that.  I just don't know enough about what they can do.
0
 
LVL 4

Expert Comment

by:jwalsh88
Comment Utility
Silas,  made any decisions, i think the best one is easily to not even use the VPN concentrator.  The PIX you have is a better VPN device and it will make things simplier in your network, which is good.  You realize the VPN 3005 can only handle 100 similtaneous connections. thats not very good.  that means if you have alot of users there is going to be delays.  The number on the PIX is much higher.  And you don't have this routing issue.(how to route VPN traffic to the VPN concentrator and the internet traffic to the firewall.  This problem is easily solved with a routing layer3 device in your network but you said you don't have one and don't plan on getting one.
0
 
LVL 3

Expert Comment

by:rcasteel
Comment Utility
Are you running NAT?  If you are, then the NAt engine may affect the tunnel.  I have just installed a similar situation.  The problems I ran into were not associated with the firewall but the NAT working with the tunnel.  

We put the tunnel on a DMZ so we could quaranteen it incase of a breech.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now