?
Solved

VPN Concentrator 3005 Placement

Posted on 2007-04-11
1
Medium Priority
?
364 Views
Last Modified: 2008-01-09
My current Network is as follows:-

Router (X.X.X.129)  >  PIX 515e (X.X.X.131)  >  LAN (10.1.1.0\24)

At present I am using the Cisco VPN Software Client 4.8 to connect to the PIX using IP address X.X.X.131, which then enables users to connect to any server /  host on the 10.1.1.0 network (ports 500 and 4500 have an ACL to forward for NAT transparency)

FTP connections point to the IP address X.X.X.135 (using static route and ACL to pass port 21 to FTP server on 10.1.1.2

SMTP connection point to the IP Address X.X.X.133 (using static route and ACL to pass port 25 to Barracuda Spam Firewall on 10.1.1.5)

WWW / HTTPS connections point to the IP address X.X.X.132 (using static route and ACL to pass ports 80/443 to Exchange Server 10.1.1.9)

Now throw into the mix a donation of 3005 VPN Concentrator and a few 3002 Clients (for remote hosts).

My problem is where do I place the 3005?  

Ultimately, I want to remove the VPN tunneling from the PIX and have the 3005 handle all this and the pix just block or forward traffic.  However, do I place the 3005 between the router and the pix, or do I assign another public IP, say X.X.X.136 to the DMZ port of the PIX and connect the 3005 there.

Any insight / logic would be appreciated.

0
Comment
Question by:zejoka
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 28

Accepted Solution

by:
batry_boy earned 1500 total points
ID: 18902411
I've seen it done both ways.  I've personally implemented more VPN 3005 concentrators placed right beside the firewall rather than behind it in the DMZ. This doesn't mean put it between the router and the PIX, but right beside the PIX where the public interface of the VPN 3005 would be on the same subnet as the PIX public interface, and the VPN 3005 private interface would be on the same subnet as the PIX private interface.  This makes for easier implementation since you won't have to modify any firewall rules to get it working.

The VPN 3005 is a hardened appliance like the firewall, but will only accept connections from a VPN client...in other words, you cannot configure it to forward traffic inbound based on ACL's or anything like that.  It is strictly meant for VPN traffic.  So I don't see a problem putting giving it a public address on it's public interface.
0

Featured Post

Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses
Course of the Month13 days, 14 hours left to enroll

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question