Re: PIX and VPN Concentrator !

From: Vazman (vazman@gmail.com)
Date: Wed May 25 2005 - 16:04:25 GMT-3

• Next message: gladston@br.ibm.com: "Re: Bug with Rate-limit and Access-list"
• Previous message: ccie2be: "RE: PPS"
• Maybe in reply to: Nguyen Hoa: "PIX and VPN Concentrator !"
• Next in thread: Larry Roberts: "Re: PIX and VPN Concentrator !"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

When you have the pix and concentrator in a parallel setup, you have
couple of options also. You can connect the inside interface of the
concentrator to your internal network or to a separate interface on
the pix. Connecting it to a separate interface on the pix, allows you
to control what resources your VPN clients can access.

On 5/25/05, Larry Roberts <groupstudy@american-hero.com> wrote:
> It really is a matter of preference.
>
> Having the Concentrator behind the PIX does provide additional security
> by forcing traffic to traverse the Firewall. It does this at the expense
> of having a single point of failure for both devices however. If you do
> this and the PIX fails then you loose both remote access and the Firewall.
>
> Most deployments that I have done, or have been around have the PIX and
> the Concentrator in parallel. Downside to this is that it your
> concentrator is now directly exposed to the internet, however the
> filtering on the Concentrator really minimizes the exposure.
>
> I don't know of any templates and a quick search on Cisco didn't reveal
> any, however you can treat these as two seperate devices for
> configuration purposes.
>
> You best bet would be to look through the configuration guides :
>
> PIX v6.3
> http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/index.htm
>
> Concentrator v 4.7
> http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_7/config/index.htm
>
> Let us know how you do or of any questions you have.
>
> Larry
>
>
>
> Nguyen Hoa wrote:
> > Hi all
> >
> > I have one PIX for Firewall function and one VPN Concentrator 3030 for
> > remote-access VPN connections
> >
> > How can I deploy this case ?
> >
> > 1. PIX place parallel with Concentrator
> > 2. Concentrator place behind PIX
> >
> > Which solution is better and easy to config ? And where could I find the
> > config template for this scenario ?
> >
> > Tks !
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: gladston@br.ibm.com: "Re: Bug with Rate-limit and Access-list"
• Previous message: ccie2be: "RE: PPS"
• Maybe in reply to: Nguyen Hoa: "PIX and VPN Concentrator !"
• Next in thread: Larry Roberts: "Re: PIX and VPN Concentrator !"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:12:02 GMT-3