Solved: Re: IOS VPN for L2L, placement and addressing best practice

rungemach · ‎12-20-2005

We are installing a IOS VPN Router on a 2651XM VPN bundle for L2L.

I am trying to determine the best placement for the VPN router.

We have Internet BR, then outside switch, Pix then Inside Switch.

We installed a 4-port card in the 515e Pix to provide DMZ interface, but have not yet configured any interfaces.

The L2L traffic is B2B so we need to firewall/NAT our traffic/internal network.

I have a switch for the DMZ if needed for additional PSS.

aacole · ‎12-20-2005

I'd recommend placing the VPN router outside interface on the ouside of the firewall. Terminate the inside un-encrypted VPN interface on a DMZ port on the PIX, this way you can use the pix to control what internal servers the VPN users can connect to.

This way you can nat your inside traffic, but your VPN traffic doesnt have to cross a nat boundary. Also your VPN users can use the pix to access your internet link

On the VPN router lock down the outside interface as much as possible, if the IOS supports the firewall feature set then use it.

View solution in original post

aacole · ‎12-20-2005

I'd recommend placing the VPN router outside interface on the ouside of the firewall. Terminate the inside un-encrypted VPN interface on a DMZ port on the PIX, this way you can use the pix to control what internal servers the VPN users can connect to.

This way you can nat your inside traffic, but your VPN traffic doesnt have to cross a nat boundary. Also your VPN users can use the pix to access your internet link

On the VPN router lock down the outside interface as much as possible, if the IOS supports the firewall feature set then use it.

rungemach · ‎12-21-2005

Thank you for the confirmation. That is the plan I had, but since this is new, I wante to validate. We will be using 12.4T IOS advance security with the firewall enabled.