Hi
I can't say if this is "best practice" or not... but is what I have deployed
before and it worked well for the problems/needs I was trying to solve.
Personally I like having the inside interface of the VPN on a interface on
the PIX that is not quite trusted, e.g. vendor network. And the outside of
the VPN box in a DMZ protected by the PIX.
The big advantage of having the VPN inside interface on a "not quite
trusted" interface is traffic control and access control to specific hosts
on the inside of the PIX. For example if you had a bunch of non-employees
that needed access to a web server and only that web service and nothing
else, and you did not want to punch a hole in the PIX for them for whatever
reason. You could use a unique IP range for the VPN users and then use ACLs
on the PIX to only allow them access to the web server. You could assign
another IP range for a different group of users that would allow to other
areas, all nicely controlled by the PIX.
The disadvantage here is the VPN user maintenance and IP management. For
example, you have a user that needs to have access to hosts that belong to
two different policies/groups at the same time, i.e. are passed thru the PIX
based on different IP ranges. Now you end up having to create a third group
that can access both sets of hosts, and so on and so on. This can lead to a
nightmarish full time job to manage the VPN box and the resulting IP
networks you create for each group. In a dynamic environment it is a
problem, but in a pretty much static environment it is not bad to maintain
at all.
The advantage of having the outside VPN interface in a DMZ is that you can
protect it from DoS and other attacks. It also helps for controlling
management access to the VPN device, e.g. only allowing SSH or HTTP from a
fixed IP. Can you tell I hate to drive to work at 3am when I could be doing
in my bath rob from home ;-)
The disadvantage is that there is a bit more to the PIX config to pass the
traffic you want.
For links, www.cco.com and go to the TAC configuration guides for VPN and
PIX. Lots of examples to work from.
HTH
--
John Hardman CCNP MCSE
""SH Wesson"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Where is the best place to install a VPN box - vpn inside interface behind
> the pix, vpn outside interface behind the pix, vpn outside to internet,
vpn
> inside to lan, etc. What should be the best practice and if someone can
> point out a link where I can see some configuration I would appreciate it.
> Thank you.
>
>
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=15398&t=15375
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
