When deploying my VPN3000, I have put it behind the Pix firewall (ie on a DMZ), and I only allow IPSEC / ISAKMP throught the pix to the VPN3K. I guess it depends on how much traffic you are expecting to pass over the VPN, obviously in my setup, all traffic noew has to go through the pix, but, in my case, vpn access is only used for telecommuters and as such, traffic it very low. If you had large amounts of traffic, I would consider putting it in parrallel with the Pix. Cheers Troy
Chris Penrose wrote: > > Hi All, I am setting up a VPN to connect remote sites to a Head > Office, the > head office has a VPN 3000 Concentrator and a PIX 515 Firewall, > As I > understand it I can place the PIX in front/behind or in > Parallel to the 3000 > . I was wondering if anyone that has done this has any > recommendations as to > the best place for the PIX or any advantages/disadvantages of > placement. I > am thinking in front but I am unsure what repercussions this > will have with > regard to access across the VPN. I need all IP through the vpn > tunnels for > each site, so with the PIX in front I would be setting up a > static to the > outside interface of the 3000 and adding the following acl's > Access-list 100 permit ah any vpn3k > Access-list 100 permit esp any vpn3k > Access-list 100 permit udp any vpn3k eq isakmp > > Would I still need acl's on the PIX to allow all other IP from > each site? > Or should I place the PIX somewhere else. > > any advice appreciated. > > thanks > > Chris. > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64458&t=64383 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
