From: Chuck Balik (cbalik@cox.net)
Date: Thu Sep 26 2002 - 13:12:00 GMT-3
Chris, you are asking a good questions. I kept recommending this too but
the customer is kind of demanding. The customer says if I can not put
everything behind the PIX, I have to give them good reasons. I just could
not find any. The PIX they have is the largest one too. So it can handle
all the email and WWW traffice plus IPSec bypass. Plus I forgot to state in
my original email that the only services we are going to provide for VPN
customers are Mail and WWW. The mail server will also reside in the DMZ. No
VPN customers will go in their internal network yet. Traffic will be
between external to DMZ and DMZ to external. External traffic will be Mail
and WWW only.
Key point here is letting IPSec traffic go in the DMZ to terminate on the
VPN and the user traffic coming back out on the same PIX interface. From
the security point of view I think seems OK but I am not sure. Plus the
config samples I am looking for, like letting IPSec bypass the pix. I am
assuming just letting ESP and ISKAMP go from outside to DMZ, then the VPN
users will have one of the DMZs subnet addresses that the VPN3000 inside
interface resides.
I also read a Cisco Networkers VPN guide power point presentation. There,
there was a design showing that VPN3000's both interfaces are behind the
PIX go to two different interface. VPN3000 hangs on the PIX utilizing two
of the PIX's interface. So, go figure, Cisco says this is very secure but
complex to configure.
At 11:39 AM 9/26/2002 -0400, Chris wrote:
>Why don't you just put the concentrator outside interface in parrellel with
>the pix and the inside interface into the DMZ?
>
>
>
>
>
>
>----- Original Message -----
>From: "Chuck Balik" <cbalik@cox.net>
>To: <ccielab@groupstudy.com>
>Sent: Thursday, September 26, 2002 9:21 AM
>Subject: Fwd: Is this OK to implement? IPSec, PIX, VPN 3000
>
>
> > >Date: Thu, 26 Sep 2002 08:50:45 -0400
> > >To: ccielab@groupstudy.com, security@groupstudy.com
> > >From: Chuck Balik <cbalik@cox.net>
> > >Subject: Is this OK to implement? IPSec, PIX, VPN 3000
> > >
> > >Customer wants to put VPN3000(both interfaces) and the network services
> > >DHCP/DNS/MailProxy/Radius ACS in one DMZ. The VPN users will come from
> > >outside of PIX and from PSTN into AS( it is in the DMZ behing the PIX)
>and
> > >into DMZ. The first problem I had was to put VPN3000's two interfaces
> > >outside and inside in the same subnet. I did not try the configs yet
> > >because I don't have the equipment. I will be having them soon, but I am
> > >trying to verify and get some solution ideas on this design. I just
> > >assumed that I an not put both VPN3000 interfaces in the same subnet. So,
> > >I did end up putting a router in the DMZ. Router is separating the
>VPN3000
> > >( outside interface ) in one subnet. All the network services is behind
> > >the router in the DMZ in the other subnet. The VPN3000's internal
> > >interface will go behind the router to the other subnet in the DMZ.
> > >The question is only one port on PIX is utilized for this design. IPSec
> > >traffic coming from Internet has to bypass PIX into DMZ and go through
>the
> > >router in the second subnet of DMZ and terminate at VPN3000. Then un
> > >encrypted traffic comes out of the VPN3000 and go back to other subnet of
> > >DMZ and go to PIX (same interface that IPSec bypassed) to WWW. The VPN
> > >client will be used is VPN3000 Cisco Client.
> > >Does this work? Are there any security concerns or config concerns? Any
> > >input appreciated!!, Any sample configs for PIX?
> > >
> > >Take Care
> > >
> > >
> > >|
> > >|
> > >|
> > >Pix-----switch------router------VPN3000
> > > | |
> > > | |
> > > | ---------------------------DHCP/Radius
This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:44:04 GMT-3