I am in agreement.
Why put the external nic in the DMZ at all?
- connect a hub to your router
- Firewall external nic gets connected to hub
- concentrator external nic gets put into hub
- both internal nics get connected to switch (Secure LAN)
As far as I know, this is the manufacturer's suggested practice, and the
most reasonable...
After this, you point the packets where they are supposed to go :-)
Just make sure you only allow those authorized into your concentrator.
IMO, it is best to use the DMZ for things it is good for... Such as Web
servers ;-)
Regards,
Marshal
-----Original Message-----
From: Patrick Ramsey [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 28, 2002 11:03 AM
To: [EMAIL PROTECTED]
Subject: Re: VPN Design [7:44953]
Well, have you thought this setup through?
I mean... if you are placing the vpn device's external nic in the dmz, and
it's internal nic on your lan, you are defeating your firewall. You still
have to allow access into the vpn device.(which is the same as having it on
the outside) If you really want to have the double protection, you should
think about placing the vpn's external nic on the outside and creating a
tunnel though the dmz. (of course this also defeats your firewall, but at
least you can set the pix to only tunnel from the vpn device)
But at this point, it's a trust game. You trust your firewall to protect
your corporate lan right? Why would you not trust your vpn device? There's
nothing wrong with running parallel firewalls or vpn scenarios. I'm pretty
sure I can come up with a list of pros and cons for both. In the end you'll
probably find them to be 50/50.
Of course, running in parallel may actualy cause issues for your clients on
the outside. If the concentrator is not the default route, then you may run
into asymetric routing problems.
You might try just using one nic in the concentrator too. Unless you are in
a scenario that requires high speed routing, chances are, that t1 to the
internet is not going to bog down your vpn device.
just somoe tidbits to think about.
-Patrick
>>> "neil K." 05/24/02 11:10AM >>>
Hi All,
1. Could anyone please tell me what needs to be done on the PIX firewall if
the
Cisco VPN concentrator is placed in such a way as the public interface is in
the DMZ and private interface on the inside network.
2. This design of placing the Concentraor in the DMZ is a little complex as
compared to keeping the Concentrator Parallel to Firewall, which has
security
risks.Also in the case of Parallel design concentrator public address has to
be in the IP subnet as the
Firewall and the External Router( If I am not wrong) can this be overcome by
placing the Concentrator in the DMZ.
3. Does the firewall need some routing capability so that it can route
Encrypted packets to go thru concentrator or can it be done by adding routes
to the servers pointing to concentrator.
4. What will have to be done if there are some AS-400 servers and we are
planning to use IPsec.
Any help will be highly appreciated.
Thanks,
Neil
>>>>>>>>>>>>> Confidentiality Disclaimer <<<<<<<<<<<<<<<<
This email and any files transmitted with it may contain confidential and
/or proprietary information in the possession of WellStar Health System,
Inc. ("WellStar") and is intended only for the individual or entity to whom
addressed. This email may contain information that is held to be
privileged, confidential and exempt from disclosure under applicable law. If
the reader of this message is not the intended recipient, you are hereby
notified that any unauthorized access, dissemination, distribution or
copying of any information from this email is strictly prohibited, and may
subject you to criminal and/or civil liability. If you have received this
email in error, please notify the sender by reply email and then delete this
email and its attachments from your computer. Thank you.
================================================================
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45386&t=44953
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
