Re: PIX and VPN Concentrator !

From: Larry Roberts (groupstudy@american-hero.com)
Date: Wed May 25 2005 - 18:32:23 GMT-3

• Next message: ccie2be: "RE: tx-?-limit"
• Previous message: Dan.Thorson@seagate.com: "RE: tx-?-limit"
• Maybe in reply to: Nguyen Hoa: "PIX and VPN Concentrator !"
• Next in thread: C.Sammarcellino@sirtisistemi.it: "Re: PIX and VPN Concentrator !"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Same caveat applies however in that if the PIX has issues, your VPN
traffic would die at the PIX.

Perhaps a set of PIX's in Failover might make either this option or the
option of the PIX in front of the concentrator more favorable.

Vazman wrote:
> When you have the pix and concentrator in a parallel setup, you have
> couple of options also. You can connect the inside interface of the
> concentrator to your internal network or to a separate interface on
> the pix. Connecting it to a separate interface on the pix, allows you
> to control what resources your VPN clients can access.
>
>
>
> On 5/25/05, Larry Roberts <groupstudy@american-hero.com> wrote:
>
>>It really is a matter of preference.
>>
>>Having the Concentrator behind the PIX does provide additional security
>>by forcing traffic to traverse the Firewall. It does this at the expense
>>of having a single point of failure for both devices however. If you do
>>this and the PIX fails then you loose both remote access and the Firewall.
>>
>>Most deployments that I have done, or have been around have the PIX and
>>the Concentrator in parallel. Downside to this is that it your
>>concentrator is now directly exposed to the internet, however the
>>filtering on the Concentrator really minimizes the exposure.
>>
>>I don't know of any templates and a quick search on Cisco didn't reveal
>>any, however you can treat these as two seperate devices for
>>configuration purposes.
>>
>>You best bet would be to look through the configuration guides :
>>
>>PIX v6.3
>>http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/index.htm
>>
>>Concentrator v 4.7
>>http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_7/config/index.htm
>>
>>Let us know how you do or of any questions you have.
>>
>>Larry
>>
>>
>>
>>Nguyen Hoa wrote:
>>
>>>Hi all
>>>
>>>I have one PIX for Firewall function and one VPN Concentrator 3030 for
>>>remote-access VPN connections
>>>
>>>How can I deploy this case ?
>>>
>>>1. PIX place parallel with Concentrator
>>>2. Concentrator place behind PIX
>>>
>>>Which solution is better and easy to config ? And where could I find the
>>>config template for this scenario ?
>>>
>>>Tks !
>>>
>>>_______________________________________________________________________
>>>Subscription information may be found at:
>>>http://www.groupstudy.com/list/CCIELab.html
>>
>>_______________________________________________________________________
>>Subscription information may be found at:
>>http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: ccie2be: "RE: tx-?-limit"
• Previous message: Dan.Thorson@seagate.com: "RE: tx-?-limit"
• Maybe in reply to: Nguyen Hoa: "PIX and VPN Concentrator !"
• Next in thread: C.Sammarcellino@sirtisistemi.it: "Re: PIX and VPN Concentrator !"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:12:02 GMT-3