Re: Is this OK to implement? IPSec, PIX, VPN 3000

From: Chris (clarson52@comcast.net)
Date: Thu Sep 26 2002 - 12:39:00 GMT-3

• Next message: Steven Weber: "IRB,router-on-a-stick and HSRP"
• Previous message: Mingzhou Nie: "Did I say to nail it down? CCIE #10342"
• Maybe in reply to: Chuck Balik: "Is this OK to implement? IPSec, PIX, VPN 3000"
• Next in thread: Chuck Balik: "Re: Is this OK to implement? IPSec, PIX, VPN 3000"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Why don't you just put the concentrator outside interface in parrellel with
the pix and the inside interface into the DMZ?

----- Original Message -----
From: "Chuck Balik" <cbalik@cox.net>
To: <ccielab@groupstudy.com>
Sent: Thursday, September 26, 2002 9:21 AM
Subject: Fwd: Is this OK to implement? IPSec, PIX, VPN 3000

> >Date: Thu, 26 Sep 2002 08:50:45 -0400
> >To: ccielab@groupstudy.com, security@groupstudy.com
> >From: Chuck Balik <cbalik@cox.net>
> >Subject: Is this OK to implement? IPSec, PIX, VPN 3000
> >
> >Customer wants to put VPN3000(both interfaces) and the network services
> >DHCP/DNS/MailProxy/Radius ACS in one DMZ. The VPN users will come from
> >outside of PIX and from PSTN into AS( it is in the DMZ behing the PIX)
and
> >into DMZ. The first problem I had was to put VPN3000's two interfaces
> >outside and inside in the same subnet. I did not try the configs yet
> >because I don't have the equipment. I will be having them soon, but I am
> >trying to verify and get some solution ideas on this design. I just
> >assumed that I an not put both VPN3000 interfaces in the same subnet. So,
> >I did end up putting a router in the DMZ. Router is separating the
VPN3000
> >( outside interface ) in one subnet. All the network services is behind
> >the router in the DMZ in the other subnet. The VPN3000's internal
> >interface will go behind the router to the other subnet in the DMZ.
> >The question is only one port on PIX is utilized for this design. IPSec
> >traffic coming from Internet has to bypass PIX into DMZ and go through
the
> >router in the second subnet of DMZ and terminate at VPN3000. Then un
> >encrypted traffic comes out of the VPN3000 and go back to other subnet of
> >DMZ and go to PIX (same interface that IPSec bypassed) to WWW. The VPN
> >client will be used is VPN3000 Cisco Client.
> >Does this work? Are there any security concerns or config concerns? Any
> >input appreciated!!, Any sample configs for PIX?
> >
> >Take Care
> >
> >
> >|
> >|
> >|
> >Pix-----switch------router------VPN3000
> > | |
> > | |
> > | ---------------------------DHCP/Radius

• Next message: Steven Weber: "IRB,router-on-a-stick and HSRP"
• Previous message: Mingzhou Nie: "Did I say to nail it down? CCIE #10342"
• Maybe in reply to: Chuck Balik: "Is this OK to implement? IPSec, PIX, VPN 3000"
• Next in thread: Chuck Balik: "Re: Is this OK to implement? IPSec, PIX, VPN 3000"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:44:04 GMT-3