02-08-2011 07:39 AM - edited 03-11-2019 12:46 PM
Hi, I've not used PIX/ASA for a while and was wondering the following:
We currently terminate site2site & RA vpn's directly on our perimeter ASA
What would be the better option - to use sysopt or not - ie:
If we use the external firewall acl to screen remote access vpn's we would have to allow rfc 1918 addresses into our network (albeit with a verified return path) but we can filter on port
vs
If we use sysopt we are creating a point-to-point IP connections directly into our network that don't filter on port (doesn't matter so much for RA but does for site2site)
?
personally I would terminate all vpn's in a dmz then screen after that =)
Cheers amigos
Mark
Solved! Go to Solution.
02-08-2011 07:46 AM
Hey Mark-
I prefer sysopt and your DMZ ASA for VPN should have it's outside interface on the outside and your inside interface in the DMZ of your perimeter ASA. That is suggested per Cisco's SRND.
Hope my post makes sense, let me know if it doesn't.
02-08-2011 07:46 AM
Hey Mark-
I prefer sysopt and your DMZ ASA for VPN should have it's outside interface on the outside and your inside interface in the DMZ of your perimeter ASA. That is suggested per Cisco's SRND.
Hope my post makes sense, let me know if it doesn't.
02-08-2011 08:01 AM
...yeah, that's what I would do too - it wasn't setup by me hehehe
cheers for getting back to me
Mark
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide