The solution is for a customer that will have security concerns. Should it be put in the DMZ or in the network. If in the DMZ, all ports that will be used between our servers and their clients will need to be allowed by the customer's firewall. If in side the network, we only need to allow ports 50 and 500 but then if the device is compromised the customer's network is infiltrated. What dilemma?
Which IPsec device are you talking about? The PIX is a firewall and VPN solution in one. The routers can be the same. The VPN 3000 & 5000 series go in parallel with a firewall solution. Yes, you can drop one behind the firewall and yes, you’ll have to open the ports for this. If the device has potential to be compromised, you might want to look at a different VPN device or firewall solution. I suggest having a design tech look at your situation.
LAN-to-LAN on 3000 are not as stable as using routers. In my opinion, it would be more secure if it sits behing the firewall, though it can be implemented either way.
7100 does not do WINS and DNS push to remote clients cf 3000/5000 concentrators.
Getting Started
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
