From: Larson, Chris (CLarson@usaid.gov)
Date: Tue Oct 01 2002 - 12:56:09 GMT-3
A lot of this depends on what you are trying to protect and who is using the
tunnel. If you do a tunnel from PIX to PIX and it is subnet based then the
users of the tunnel are not subject to the rules of the firewall. You can
create your crypto access-list to be more specific and base the tunnels on
host and even down to host and port. This provides more security but it stil
does not subject the tunnel users to any of the firewall policies (except
thsoe required to make the tunnel).
If you want VPN users to be subject to firewall policy then I would do it
from the routers, that is if the traffic and keying is not overwhelming to
the perimeter routers resources. You can then still subject these users to
firewall policy.
> -----Original Message-----
> From: Armand D [SMTP:ciscoworks2001@yahoo.com]
> Sent: Tuesday, October 01, 2002 11:06 AM
> To: ccielab@groupstudy.com
> Subject: Site to Site IPSec Tunnel
>
> Hi,
>
> I'm wondering if anyone has any suggestions on which
> configuration is preferred when running a simple vpn
> tunnel over the public Internet using IPSec. Medium
> traffic over the tunnel.
>
> In my configuration I have two routers and two PIXs. I
> know it can be done from router to router or from PIX
> to PIX. Which one is preferred and why ?
>
>
> PIX 515---2620-------isp--------2620-----PIX 520
>
>
> Any feedback would be appreciated.
>
> Armand
>
> http://mobile.yahoo.com.au - Yahoo! Messenger for SMS
> - Always be connected to your Messenger Friends
This archive was generated by hypermail 2.1.4 : Tue Nov 05 2002 - 08:35:36 GMT-3