From: Chuck Balik (cbalik@cox.net)
Date: Thu Sep 26 2002 - 09:50:45 GMT-3
Customer wants to put VPN3000(both interfaces) and the network services
DHCP/DNS/MailProxy/Radius ACS in one DMZ. The VPN users will come from
outside of PIX and from PSTN into AS( it is in the DMZ behing the PIX) and
into DMZ. The first problem I had was to put VPN3000's two interfaces
outside and inside in the same subnet. I did not try the configs yet
because I don't have the equipment. I will be having them soon, but I am
trying to verify and get some solution ideas on this design. I just assumed
that I an not put both VPN3000 interfaces in the same subnet. So, I did end
up putting a router in the DMZ. Router is separating the VPN3000 ( outside
interface ) in one subnet. All the network services is behind the router in
the DMZ in the other subnet. The VPN3000's internal interface will go
behind the router to the other subnet in the DMZ.
The question is only one port on PIX is utilized for this design. IPSec
traffic coming from Internet has to bypass PIX into DMZ and go through the
router in the second subnet of DMZ and terminate at VPN3000. Then un
encrypted traffic comes out of the VPN3000 and go back to other subnet of
DMZ and go to PIX (same interface that IPSec bypassed) to WWW. The VPN
client will be used is VPN3000 Cisco Client.
Does this work? Are there any security concerns or config concerns? Any
input appreciated!!, Any sample configs for PIX?
Take Care
|
|
|
Pix-----switch------router------VPN3000
| |
| |
| ---------------------------DHCP/Radius
This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:44:04 GMT-3