Chris, It is simpler to set them up in parallel. Just make sure the VPN3000 is setup to only respond to VPN traffic so it isn't a security risk and you're done. The PIX in front won't provide any additional protection because of the ACL's you have to use to allow the traffic through to the 3000.
So in general with the PIX in front you just add another hop, clutter the PIX config with ACL's and Static commands for each connecton and provide little extra security. Hope this helps, Scott --- On Tue 03/04, Chris Penrose wrote: From: Chris Penrose [mailto: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Tue, 4 Mar 2003 19:26:53 GMT Subject: 3000 Concentrator behind/in front or parallel to PIX? [7:64383] Hi All, I am setting up a VPN to connect remote sites to a Head Office, the head office has a VPN 3000 Concentrator and a PIX 515 Firewall, As I understand it I can place the PIX in front/behind or in Parallel to the 3000 . I was wondering if anyone that has done this has any recommendations as to the best place for the PIX or any advantages/disadvantages of placement. I am thinking in front but I am unsure what repercussions this will have with regard to access across the VPN. I need all IP through the vpn tunnels for each site, so with the PIX in front I would be setting up a static to the outside interface of the 3000 and adding the following acl's Access-list 100 permit ah any vpn3k Access-list 100 permit esp any vpn3k Access-list 100 permit udp any vpn3k eq isakmp Would I still need acl's on the PIX to allow all other IP from each site? Or should I place the PIX somewhere else. any advice appreciated. thanks Chris. _______________________________________________ Join Excite! - http://www.excite.com The most personalized portal on the Web! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65400&t=65400 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]