From: C.Sammarcellino@sirtisistemi.it
Date: Thu May 26 2005 - 07:46:34 GMT-3
It is possible control what resources your VPN clients can access with
the filter list on the VPN without intervention on the PIX.
The filtering on the VPN in more scalable because you can set it for
gruop or for user.
Bye
----------------------------------------
-----------------------------------
Ciro Sammarcellino
CCIE R&S N. 13622
CCSP (Cisco Certificate Security Professional)
INFOSEC Professional certificate (under NSA/CNSS directive)
Supporto Specialistico Networking
Sirti Sistemi S.p.A.
Via A. Benigni, 25
00156 Rome (Italy)
Cell.: ++39 3356426305
Tel.: ++39 06-82880304
Tel.: ++39 02-95886880
Fax.: ++39 06-821899
e-mail: c.sammarcellino@sirtisistemi.it
-------------------------------------
--------------------------------------
"Le informazioni contenute nel presente e-mail e nei documenti
eventualmente allegati possono essere confidenziali e in ogni caso
riservate al destinatario/i della stessa. La loro diffusione,
distribuzione e/o copiatura da parte di terzi h proibita. Nel caso avete
ricevuto questa comunicazione per errore, Vi preghiamo di informare
immediatamente il mittente del messaggio e di distruggere questo e-mail.
This e-mail may contain confidential and/or privileged information. If
you are not the intended recipient (or have received this e-mail in
error) please notify the sender immediately and destroy this e-mail. Any
copying, disclosure or distribution of the material in this e-mail is
strictly forbidden."
-----nobody@groupstudy.com wrote: -----
To: Larry Roberts <groupstudy@american-hero.com>
From: Vazman <vazman@gmail.com>
Sent by: nobody@groupstudy.com
Date: 05/25/2005 09:04PM
cc: Nguyen Hoa <hoanh.it@ct-in.com.vn>, Cisco certification
<ccielab@groupstudy.com>
Subject: Re: PIX and VPN Concentrator !
When you have the pix and concentrator in a parallel setup, you have
couple of options also. You can connect the inside interface of the
concentrator to your internal network or to a separate interface on
the pix. Connecting it to a separate interface on the pix, allows you
to control what resources your VPN clients can access.
On 5/25/05, Larry Roberts <groupstudy@american-hero.com> wrote:
> It really is a matter of preference.
>
> Having the Concentrator behind the PIX does provide additional
security
> by forcing traffic to traverse the Firewall. It does this at the
expense
> of having a single point of failure for both devices however. If
you do
> this and the PIX fails then you loose both remote access and the
Firewall.
>
> Most deployments that I have done, or have been around have the PIX
and
> the Concentrator in parallel. Downside to this is that it your
> concentrator is now directly exposed to the internet, however the
> filtering on the Concentrator really minimizes the exposure.
>
> I don't know of any templates and a quick search on Cisco didn't
reveal
> any, however you can treat these as two seperate devices for
> configuration purposes.
>
> You best bet would be to look through the configuration guides :
>
> PIX v6.3
>
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config
/index.htm
>
> Concentrator v 4.7
>
http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_7/config/index
.htm
>
> Let us know how you do or of any questions you have.
>
> Larry
>
>
>
> Nguyen Hoa wrote:
> > Hi all
> >
> > I have one PIX for Firewall function and one VPN Concentrator
3030 for
> > remote-access VPN connections
> >
> > How can I deploy this case ?
> >
> > 1. PIX place parallel with Concentrator
> > 2. Concentrator place behind PIX
> >
> > Which solution is better and easy to config ? And where could I
find the
> > config template for this scenario ?
> >
> > Tks !
> >
> >
_______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
_______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
______________________________________________________________________
_
Subscription information may be found at:
http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:12:02 GMT-3