From: Chuck Balik (cbalik@cox.net)
Date: Thu Sep 26 2002 - 10:21:37 GMT-3
>Date: Thu, 26 Sep 2002 08:50:45 -0400
>To: ccielab@groupstudy.com, security@groupstudy.com
>From: Chuck Balik <cbalik@cox.net>
>Subject: Is this OK to implement? IPSec, PIX, VPN 3000
>
>Customer wants to put VPN3000(both interfaces) and the network services
>DHCP/DNS/MailProxy/Radius ACS in one DMZ. The VPN users will come from
>outside of PIX and from PSTN into AS( it is in the DMZ behing the PIX) and
>into DMZ. The first problem I had was to put VPN3000's two interfaces
>outside and inside in the same subnet. I did not try the configs yet
>because I don't have the equipment. I will be having them soon, but I am
>trying to verify and get some solution ideas on this design. I just
>assumed that I an not put both VPN3000 interfaces in the same subnet. So,
>I did end up putting a router in the DMZ. Router is separating the VPN3000
>( outside interface ) in one subnet. All the network services is behind
>the router in the DMZ in the other subnet. The VPN3000's internal
>interface will go behind the router to the other subnet in the DMZ.
>The question is only one port on PIX is utilized for this design. IPSec
>traffic coming from Internet has to bypass PIX into DMZ and go through the
>router in the second subnet of DMZ and terminate at VPN3000. Then un
>encrypted traffic comes out of the VPN3000 and go back to other subnet of
>DMZ and go to PIX (same interface that IPSec bypassed) to WWW. The VPN
>client will be used is VPN3000 Cisco Client.
>Does this work? Are there any security concerns or config concerns? Any
>input appreciated!!, Any sample configs for PIX?
>
>Take Care
>
>
>|
>|
>|
>Pix-----switch------router------VPN3000
> | |
> | |
> | ---------------------------DHCP/Radius
This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:44:04 GMT-3