Which is the best location for a VPN concentrator in the attached design?

kev_jacob · ‎08-28-2006

Can anyone suggest me the best position to place a VPN concentrator in the attached design.

The design consists of 2 Firewalls (FWSM's), one to protect the regular users and the other to protect the server farm.

I want to place a VPN concentrator to allow administrators have remote VPN access from the homes to the servers in the several DMZ's behind the serverfarm firewall.

Which is the best way to add a VPN concentrator into this design with a minimal impact on the current configuration and design?

Please find attached desing diagram

Thanks

Kevin

jbrunner007 · ‎08-29-2006

create two contexts on the public fwsm (7600)

vpn outside; vpn inside

each context "secures" a different interface of the vpn concentrator. Strict rules lockdown what is allowed inbound from vpn clients...

vpn outside permits the internet to do udp 10000, ipsec, ike, all the usual stuff.

vpn inside permits the clients (on vpn) to do limited traffic per your security policy;

perhaps http/https, terminal server, citrix, kerberos, ldap, etc.

I would resist the urge to put the vpn private interface on a context on the internal fwsm... a bad security posture, linking to secure devices by another device with layer 3 capabilities - in this case a VPN 3000.

Joe

kev_jacob · ‎08-29-2006

Thanks Joe,

Your logic seems good. I thought the same way except that I was thinking of configuring the contexts for outside & inside on the internal fwsm. Your suggestions of doing it on 7600 is more secure so i'll go by that. Just one doubt, by contexts you mean two DMZ's with different security levels right?

Kevin