I usually put them in parallel. This means that the two devices do their job independently of each other. If you put the PIX between the VPN Concentrator and the internet all the traffic for the site will pass through it. If it is parallel the VPN Clients and LAN-LAN tunnels will terminate on the VPN concentrator allowing the PIX to concentrate its processing power on the primary task that it is for. Both devices provide security and fire-walling to a certain degree, it's just horses for courses as to which does which bit better.
Steve Wilson Network Engineer -----Original Message----- From: Chris Penrose [mailto:[EMAIL PROTECTED] Sent: 04 March 2003 19:27 To: [EMAIL PROTECTED] Subject: 3000 Concentrator behind/in front or parallel to PIX? [7:64383] Hi All, I am setting up a VPN to connect remote sites to a Head Office, the head office has a VPN 3000 Concentrator and a PIX 515 Firewall, As I understand it I can place the PIX in front/behind or in Parallel to the 3000 . I was wondering if anyone that has done this has any recommendations as to the best place for the PIX or any advantages/disadvantages of placement. I am thinking in front but I am unsure what repercussions this will have with regard to access across the VPN. I need all IP through the vpn tunnels for each site, so with the PIX in front I would be setting up a static to the outside interface of the 3000 and adding the following acl's Access-list 100 permit ah any vpn3k Access-list 100 permit esp any vpn3k Access-list 100 permit udp any vpn3k eq isakmp Would I still need acl's on the PIX to allow all other IP from each site? Or should I place the PIX somewhere else. any advice appreciated. thanks Chris. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64455&t=64455 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
