cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
247
Views
0
Helpful
2
Replies

Concentrator location question

dmartino
Level 1
Level 1

We currently have 2 sites connected via a PIX-to-Pix VPN. We are about to add a concentrator at one site which will provide access to all networks at both sites for remote clients.

It has been my policy in the past to run all traffic to a site through one firewall to centralize/simplify security administration as much as possible. To follow through on that, I believe that the concentrator's internal interface should be installed on a DMZ, most likely as the only device on that DMZ. We are working with a consultant who believes that the concentrator should be attached directly to our internal network, just like in the picture in the documentation that I found in the 3000 manual. He has stated that this is where Cisco says that it should be. Other than that picture, I have found nothing to back up either him or me. Realizing that I have not even attempted to work out the rest of the config yet, can anyone offer opinions on which way is the best way to do this or suggestions on where I might find more information?

2 Replies 2

Trickster
Level 1
Level 1

Hi there. I have installed a lot of concentrators for customers in the past, and by way of a surprise, there is no 'standard' way to deploy the device. What is comes down to really is your own security policy.

However, the majority of customers have the external interface of the 3000 on a DMZ of a firewall and then have the internal interface directly on the internal LAN. This is quite a good balance of setup time vs security. If the company tends more toward the paranoid end of the security scale, then they will have both interfaces each on their own DMZ's.

The extra work necessary on the firewall for this deployment can be prohibitive, but also can be essential especially if you are giving access to third parties that require strict access control.

Those companies that tend more toward the 'easy life' end of the security scale have the 3000 deployed in paralell to the firewall, i.e. the external interface has a direct connection on the internet, and the inside is directly on the inside. This sounds a bit insecure to some, but is perfectly valid if the external interface is secured correctly. Also, this deployment still allows access into the network in the event of the firewall dying.

Hope this helps.

This is very helpful. From your message, it sounds like it is tougher to be strict if the concentrator bypasses the PIX. Is this correct?

We currently use the VPN features of the PIX to provide for 3 to 5 different groups with different sets of access rights. Is one or the other architecture better for this?