Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
399
Views
0
Helpful
3
Replies

Moving VPN 3005 ot DMZ of PIX515? May Afaq Khane or someone can help me.

c-lover
Level 1
Level 1

‎08-01-2003 02:24 AM - edited ‎02-21-2020 12:42 PM

I have a concentrator at parallel with PIX515. Its woking fine but as it is connected directally to the internet, I want to move it to my DMZ port. Is this possible? If yes, How can I do this. I am newbies. I don't know how IPSec traffic will pass through outside interface and from DMZ to inside. I have 3 site to site (L2L) tunnels and lot of VPN clients.

It will be nice if someone can help me.

Thanks

Labels:
0 Helpful
3 Replies 3

travis-dennis_2
Level 7
Level 7

‎08-01-2003 04:35 AM

In my never too humble opinion I would not put the 3005 in the DMZ. Rule 1 of the DMZ is to do everything possible to NOT allow traaffic from the DMZ into the inside. OK, maybe not Rule 1 but it's up there. I would instead get a PIX 501 or a 506 and put it in front of the Concentrator, put the public IP address on the PIX and do a translation. My Cisco SE recommended that the PIX be put behind the 3005 though but that was in the midst of a very long conversation that covered a lot of ground and I never flushed out why he said behind instead of in front of. Anybody else opinionated about this design??

If the budget does not allow for an additional firewall I would take advantage of some of the additional features of the 3005 to tighten security. Certificates, XAUTH, filters and a host of other tools that can make the 3000 series very secure.

If Afaq or one of the other experts tell you something different then just forget you read this posting by a lowely end-user

0 Helpful

c-lover
Level 1
Level 1
In response to travis-dennis_2

‎08-01-2003 05:49 AM

Thanks For reply.

I have bestelled a new 501 and will get as early as monday morning. Can you please tell me how will I configure that. Do I need to forward all traffic to my Concentrator, If yes can you Please give me the commands too. I am newbies in cisco. I want to monitor my lan-to-lan traffic for intrusion detection, portscan, icmp attack etc..etc..

Thanks

0 Helpful

travis-dennis_2
Level 7
Level 7
In response to c-lover

‎08-01-2003 08:00 AM

Try this link. You will do a translation from the public IP of the concentrator. The 501 has limited intrusion detection capabilities. You would be better off getting a 4200 series Network Sensor to monitor for attacks.

http://cco-rtp-1.cisco.com/en/US/customer/products/hw/vpndevc/ps2284/products_qanda_item09186a0080094cf4.shtml#Q3

0 Helpful
Customers Also Viewed These Support Documents