Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
495
Views
0
Helpful
5
Replies

7100 as a vpn concentrator

Go to solution
Carlos A. Silva
Level 3
Level 3

‎11-21-2002 09:48 AM - edited ‎02-21-2020 12:11 PM

hi,

can a cisco 7120/7140 be used in the way a vpn3000 is? i mean, use both fast-ethernets to bypass firewall while terminating the vpn?

or does it only terminate vpn's on the wan ports you install on them?

something like:

(internet)----|-----firewall----|----(intranet)

| |

|-----7120-------|

regards,

carlos.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
aaronkent
Level 1
Level 1
In response to Carlos A. Silva

‎04-16-2003 06:22 AM

We are currently doing the same thing on our network, but I would rather not interupt service for my users. Right now they authenticate to the 3000 with the pre-shared key, then they are prompted by our DC for domain username and password. On the 7100 I set up a pre-shared key and now I am sort of torn between making my users validate to the ACS before the DC, or go directly to our DC for authentication. I know my boss is going to want the least service interuption. If you have any sugestions or tips you learned from doing the migration over, let me know. And by the way, we will place fe 0/0 outside the pix and fe 0/1 inside off of a dmz interface for firewall protection and further control.

Thanks

View solution in original post

0 Helpful
5 Replies 5

Go to solution
kdurrett
Level 3
Level 3

‎11-21-2002 11:10 AM

Bypass is a scary word. Bypass heart surgery don't sound too good either :). But as long as you can ping the interface from the wan side, you can establish a tunnel to it. Rule to remember with ios ipsec is you must apply the crypto map to the interface where the traffic comes in and out of. You can use any ip address on the router for termination(even a loopback), but you still have to follow the above rule. You will just have to specify in your crypto config the local-address to use for ipsec termination. I hope I answered your question, little unclear on your drawing as it looks like the firewall and router are both connected to ISP?

0 Helpful

Go to solution
Carlos A. Silva
Level 3
Level 3
In response to kdurrett

‎11-21-2002 12:55 PM

well, let me clear this up...

with 'bypass' i meant the topology where the pix and vpn concentrator are connected in parallel. that is, both have outiside interfaces connected to the perimeter router and both have inside interfaces connected to the intranet.

and i guess, you're right...as long as i apply the crypto map to the correct interface, everything should be cool. that way i terminate tunnel on the ouside interface but have access to the inside.

thanks,

c.

ps. will never use the word 'bypass' again.

0 Helpful

Go to solution
kdurrett
Level 3
Level 3
In response to Carlos A. Silva

‎11-21-2002 01:38 PM

Ahh, i understand now. But can you send me your pix since you wont be needing it anymore? :)

So like on your router you have like for ie:

internet

|

7120------pix

| |

SWITCH

|

---------------------

PC PC PC PC

In this scenario you have your pc's default gateway to the pix. Now when clients connect, they get an ip address from the router, to the router and they are trying to access you LAN, there replys are going to go to the pix, which routes it to the router. So inbound traffic goes straight to the lan but return traffic goes through the pix which is probably wide open for outbound traffic. If your thinking you can add a route for the vpn clients ip to route it back to the 7120 inside LAN ip, well you can't redirect that traffic from the pix so its gotta go out the outside interface. Kinda of a loop. Why would the inbound traffic when it hits the router not be sent to the pix, well you would have created a interface on the same subnet as the destination, no need to go to the pix. Everything should work just fine, but the traffic is never filtered by the pix policies. Workarounds for this, change your pcs default gateway to the router, which is when you can send me your pix. Another option is to create like a batch file for your pc's on LAN to add a static route for the vpn client ip's to send it to the router. Which the whole set up is good in a way because this is for people that you trust right, your giving them vpn access in the first place. Other traffic still goes through the pix like normal so thats good. People still have to be able to connect to the router with vpn, matching its policies, pre-shared keys(or certs) and authenticating to your radius server.

0 Helpful

Go to solution
Carlos A. Silva
Level 3
Level 3
In response to kdurrett

‎11-21-2002 03:20 PM

you bring up interesting points, but then again all i want is corporate access...that's it.

and no, you may not have the pix since it's not mine!

:o)

thanks!

0 Helpful

Go to solution
aaronkent
Level 1
Level 1
In response to Carlos A. Silva

‎04-16-2003 06:22 AM

We are currently doing the same thing on our network, but I would rather not interupt service for my users. Right now they authenticate to the 3000 with the pre-shared key, then they are prompted by our DC for domain username and password. On the 7100 I set up a pre-shared key and now I am sort of torn between making my users validate to the ACS before the DC, or go directly to our DC for authentication. I know my boss is going to want the least service interuption. If you have any sugestions or tips you learned from doing the migration over, let me know. And by the way, we will place fe 0/0 outside the pix and fe 0/1 inside off of a dmz interface for firewall protection and further control.

Thanks

0 Helpful
Customers Also Viewed These Support Documents