cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
414
Views
0
Helpful
3
Replies

Moving VPN 3005 ot DMZ of PIX515? May Afaq Khane or someone can help me.

c-lover
Level 1
Level 1

I have a concentrator at parallel with PIX515. Its woking fine but as it is connected directally to the internet, I want to move it to my DMZ port. Is this possible? If yes, How can I do this. I am newbies. I don't know how IPSec traffic will pass through outside interface and from DMZ to inside. I have 3 site to site (L2L) tunnels and lot of VPN clients.

It will be nice if someone can help me.

Thanks

3 Replies 3

travis-dennis_2
Level 7
Level 7

In my never too humble opinion I would not put the 3005 in the DMZ. Rule 1 of the DMZ is to do everything possible to NOT allow traaffic from the DMZ into the inside. OK, maybe not Rule 1 but it's up there. I would instead get a PIX 501 or a 506 and put it in front of the Concentrator, put the public IP address on the PIX and do a translation. My Cisco SE recommended that the PIX be put behind the 3005 though but that was in the midst of a very long conversation that covered a lot of ground and I never flushed out why he said behind instead of in front of. Anybody else opinionated about this design??

If the budget does not allow for an additional firewall I would take advantage of some of the additional features of the 3005 to tighten security. Certificates, XAUTH, filters and a host of other tools that can make the 3000 series very secure.

If Afaq or one of the other experts tell you something different then just forget you read this posting by a lowely end-user

Thanks For reply.

I have bestelled a new 501 and will get as early as monday morning. Can you please tell me how will I configure that. Do I need to forward all traffic to my Concentrator, If yes can you Please give me the commands too. I am newbies in cisco. I want to monitor my lan-to-lan traffic for intrusion detection, portscan, icmp attack etc..etc..

Thanks

Try this link. You will do a translation from the public IP of the concentrator. The 501 has limited intrusion detection capabilities. You would be better off getting a 4200 series Network Sensor to monitor for attacks.

http://cco-rtp-1.cisco.com/en/US/customer/products/hw/vpndevc/ps2284/products_qanda_item09186a0080094cf4.shtml#Q3