10-25-2006 01:35 AM - edited 02-21-2020 02:41 PM
Hi,
We have two pairs of ASA5520's, one sitting in front of the other, to create a DMZ and a Secure zone for our database servers. What is the normal practice for allowing VPN access to the Secure zone when it is behind two sets of firewalls? - Do you allow VPN traffic to pass through the first set of firewalls and terminate the VPN connection on the second set of firewalls??
Many Thanks,
Alan
10-26-2006 04:36 AM
Hi,
I think you have to open IPsec in and out interfaces to bypass Ipsec tunnel.
Ck
10-26-2006 10:04 AM
Hello Alan,
It will depend of our orgs security policy. In our case (We also have 2 sets of firewalls) we terminate our VPN connections (both RA and l2l) on the outside interface of the front set of routers.
You can consider terminating it on the inside or dmz interface of the outside set, but remember that if you terminate a tunnel on an interface other that the 1st outside one then you won't know what kind of traffic is coming through, and you will thus lose the capability of controlling that traffic at the very edge.
Regards
Pradeep
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide