Stnadard answer: it depends. Followed immediately by the standard question: what problem are you trying to solve?
The VPN Concentrator does not firewall or filter; it is a specialized tunnel termination device. You may (emphasis on may) need to use it when you are terminating more than about 20 tunnels. That depends on how active the tunnels are and what else your firewall is doing -- how much other work must it do filtering how much other traffic? The Concentrator does offer AES and DH Group 7 (the latter is useful if the other end of the tunnel is a client which can support ECC, but not many can). You need a firewall between you and the Internet. Have a look at the SMR SAFE Blueprint, here: http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns128/networking_solutions_white_paper09186a008009c8a0.shtml If you do decide to use a Concentrator, people may differ, but I recommend terminating your tunnels outside the firewall. If you don't, the firewall must either work at the traffic to inspect it properly (which in fact makes it work even harder tore-encrypt, etc. to send it to the Concentrator) or you poke a big hole in the firewall by accepting traffic that "looks like" it ought to be a part of the tunnel. If your LAN receives public traffic (is there a public-facing server, any kind of mini-DMZ?), then you will want a switch to send tunnel traffic tothe Concentrator and all other traffic to the firewall. Looks sort of like this: Concentrator / \ Internet---switch/--------------------\firewall---LAN HTH Annlee Mr piyush shah wrote: > Hello all > Can I know what is the Cisco PIX and that of a Cisco > VPN 3000 in terms of performance? > As I am planning to implement VPN with either VPN > Concentrator or PIX,however I was told that if you > implement only VPN Concentrator instead of PIX ,then > you may get VPN connectivity but you will not be able > to implement the filtering functionalities which are > required .In case of PIX I may get both VPN as well as > as filtering of unwanted traffic thereby changes of > hacking sessions are less. > Is this true. > I am confised .Kindly help me. > Also which one should consider to be the best scenario > for implementation ? > I am giving the 3 scenario below.If there is any > scenario better than this pls get me know ewith the > pros and cons of that one.Also equest you to know me > the pros and cons of this scenarios also. > aThnaks in advance. > > Scenario I Scenario II Scenario > > > Internet Internet Internet > | | | > > > > VPN Concentrator Firewall Firewall--VPN > | | | Concntrtr > | | | | > LAN VPN LAN _____| > Concentrator > > > > > ________________________________________________________________________ > Yahoo! India Matrimony: Find your partner online. > Go to http://yahoo.shaadi.com > **Please support GroupStudy by purchasing from the GroupStudy Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=75241&t=75235 -------------------------------------------------- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
