From: Larry Roberts (groupstudy@american-hero.com)
Date: Wed May 25 2005 - 11:59:17 GMT-3
It really is a matter of preference.
Having the Concentrator behind the PIX does provide additional security
by forcing traffic to traverse the Firewall. It does this at the expense
of having a single point of failure for both devices however. If you do
this and the PIX fails then you loose both remote access and the Firewall.
Most deployments that I have done, or have been around have the PIX and
the Concentrator in parallel. Downside to this is that it your
concentrator is now directly exposed to the internet, however the
filtering on the Concentrator really minimizes the exposure.
I don't know of any templates and a quick search on Cisco didn't reveal
any, however you can treat these as two seperate devices for
configuration purposes.
You best bet would be to look through the configuration guides :
PIX v6.3
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/index.htm
Concentrator v 4.7
http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_7/config/index.htm
Let us know how you do or of any questions you have.
Larry
Nguyen Hoa wrote:
> Hi all
>
> I have one PIX for Firewall function and one VPN Concentrator 3030 for
> remote-access VPN connections
>
> How can I deploy this case ?
>
> 1. PIX place parallel with Concentrator
> 2. Concentrator place behind PIX
>
> Which solution is better and easy to config ? And where could I find the
> config template for this scenario ?
>
> Tks !
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:12:02 GMT-3