VPN Termination

edw · ‎07-23-2007

Hi,

New to the VPN side of things. I have a PIX 515E which, going outwards, connect to a C3660 unit then to the internet. I want to connect remote clients through VPN to the inside network. Now I understand I have to give the PIX a internet IP. So my questions is - is it safer to use a logical interface for this rather than the physical one ? Thus seperating the traffic. Whats the safest way ? or can i let it connect to the C3660 and pass it on ?

Thanks

Ed

Jon Marshall · ‎07-23-2007

Hi Ed

Generally speaking you would terminate the VPN clients on the physical outside interface of your pix firewall, there is no need to make it a logical interface.

Do you have spare public IP addresses for the pix and the inside interface of the router ?

Jon

edw · ‎07-23-2007

Hi,

Yep I have loads - well enough ;) I was wondering if its more secure to have a seperate one especially due to the access-lists etc. The way its setup is its a nat'ed address range from the pix to the router and then nat'ed to public ip in the router.

I rereading the VPN setup info from the manual. I'm getting a bit confused on access-lists.

It talks about crypto access-lists for static maps (which I assume is really only for Lan-Lan traffic. I'm unsure about dynamtic maps thou. How is it linked to which traffic to let through and which not too ??? The cisco examples are really poor.

Thanks

Ed

edw · ‎07-23-2007

Hi,

I also have a problem with the authorization-server-group in the tunnel-group. It says "ERROR: Only "LOCAL", "radius" and "ldap" protocols are supported for WebVPN authorization." Yet this group is for IPSec not WebVPN??

Previous questions still stand ;)

Thanks for any answers to these questions?

Ed

edw · ‎07-24-2007

I am getting stats from the appliance - I'm not making sense of them thou.

My VPN Client sens it has to retrasmit its packet. The PIX is saying its recieved 6788 In Octets and 8 In packets of which its dropped 8 packets? Where is the problem ?

Thanks

Ed