RE: VPN 3000 design and PIX [7:15653]

Mon, 13 Aug 2001 09:53:10 -0700 

Presumably, when traversing through the PIX, you will be translating from a
private DMZ address to a Public address.  This would require the "IPSEC
through NAT" option enabled on the VPN 3000, correct?

I have seen several writings stating that using IPSEC through NAT can be a
security concern.  I don't remember the specifics of the concerns though.
Would you share that viewpoint or have you seen it to not be a problem?

- JT

-----Original Message-----
From: Yonkerbonk [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 13, 2001 12:43 PM
To: [EMAIL PROTECTED]
Subject: Re: VPN 3000 design and PIX [7:15653]


Though some Cisco documentation says to put it in
parallel to the PIX, Cisco actually prefers three ways
and they all require you to go through the PIX.
One way is to have the public interface of the VPN to
be in the DMZ. This way the only traffic that hits the
VPN has been through the firewall already. The second
way is to have the private interface of the VPN to be
on the DMZ. This way unecrypted traffic is forced
through the PIX for inspection. The third and best way
is to have both the private and public interface be on
two different DMZs, so that both encrypted and
unencrypted traffic is forced through PIX inspection.
It's all a matter of how many interfaces you have for
DMZs.

Michael Le, CCIE #6811
--- Tom Richs  wrote:
> Can someone tell me if I have a PIX in place, where
> should I install my VPN 
> 3000 box (in front of the pix, behind the pix,
> parallel, in the dmz on the 
> pix, etc).  Also, I can't seem to find any
> documentation that has how to do 
> it or how to configure each component.  Any help
> espeically with 
> configuration on both would be greatly appreciated. 
> Thanks.
> 
> Tom
> 
>
_________________________________________________________________
> Get your FREE download of MSN Explorer at
> http://explorer.msn.com/intl.asp
[EMAIL PROTECTED]


__________________________________________________
Do You Yahoo!?
Send instant messages & get email alerts with Yahoo! Messenger.
http://im.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=15896&t=15653
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to