Re: Is this OK to implement? IPSec, PIX, VPN 3000

From: Bob Rech (brech@kc.rr.com)
Date: Thu Sep 26 2002 - 13:39:36 GMT-3

You may want to reference Cisco Safe documentation cisco.com/go/safe. Most
all of this doc show VPN concentrators connected in parrellel and using a
router with IOS firewall feature set outside the VPN and PIX.

----- Original Message -----
From: "Chuck Balik" <cbalik@cox.net>
To: "Chris" <clarson52@comcast.net>; <ccielab@groupstudy.com>
Sent: Thursday, September 26, 2002 11:12 AM
Subject: Re: Is this OK to implement? IPSec, PIX, VPN 3000

> Chris, you are asking a good questions. I kept recommending this too but
> the customer is kind of demanding. The customer says if I can not put
> everything behind the PIX, I have to give them good reasons. I just could
> not find any. The PIX they have is the largest one too. So it can handle
> all the email and WWW traffice plus IPSec bypass. Plus I forgot to state
in
> my original email that the only services we are going to provide for VPN
> customers are Mail and WWW. The mail server will also reside in the DMZ.
No
> VPN customers will go in their internal network yet. Traffic will be
> between external to DMZ and DMZ to external. External traffic will be Mail
> and WWW only.
> Key point here is letting IPSec traffic go in the DMZ to terminate on the
> VPN and the user traffic coming back out on the same PIX interface. From
> the security point of view I think seems OK but I am not sure. Plus the
> config samples I am looking for, like letting IPSec bypass the pix. I am
> assuming just letting ESP and ISKAMP go from outside to DMZ, then the VPN
> users will have one of the DMZs subnet addresses that the VPN3000 inside
> interface resides.
> I also read a Cisco Networkers VPN guide power point presentation. There,
> there was a design showing that VPN3000's both interfaces are behind the
> PIX go to two different interface. VPN3000 hangs on the PIX utilizing two
> of the PIX's interface. So, go figure, Cisco says this is very secure but
> complex to configure.
>
>
> At 11:39 AM 9/26/2002 -0400, Chris wrote:
> >Why don't you just put the concentrator outside interface in parrellel
with
> >the pix and the inside interface into the DMZ?
> >
> >
> >
> >
> >
> >
> >----- Original Message -----
> >From: "Chuck Balik" <cbalik@cox.net>
> >To: <ccielab@groupstudy.com>
> >Sent: Thursday, September 26, 2002 9:21 AM
> >Subject: Fwd: Is this OK to implement? IPSec, PIX, VPN 3000
> >
> >
> > > >Date: Thu, 26 Sep 2002 08:50:45 -0400
> > > >To: ccielab@groupstudy.com, security@groupstudy.com
> > > >From: Chuck Balik <cbalik@cox.net>
> > > >Subject: Is this OK to implement? IPSec, PIX, VPN 3000
> > > >
> > > >Customer wants to put VPN3000(both interfaces) and the network
services
> > > >DHCP/DNS/MailProxy/Radius ACS in one DMZ. The VPN users will come
from
> > > >outside of PIX and from PSTN into AS( it is in the DMZ behing the
PIX)
> >and
> > > >into DMZ. The first problem I had was to put VPN3000's two interfaces
> > > >outside and inside in the same subnet. I did not try the configs yet
> > > >because I don't have the equipment. I will be having them soon, but I
am
> > > >trying to verify and get some solution ideas on this design. I just
> > > >assumed that I an not put both VPN3000 interfaces in the same subnet.
So,
> > > >I did end up putting a router in the DMZ. Router is separating the
> >VPN3000
> > > >( outside interface ) in one subnet. All the network services is
behind
> > > >the router in the DMZ in the other subnet. The VPN3000's internal
> > > >interface will go behind the router to the other subnet in the DMZ.
> > > >The question is only one port on PIX is utilized for this design.
IPSec
> > > >traffic coming from Internet has to bypass PIX into DMZ and go
through
> >the
> > > >router in the second subnet of DMZ and terminate at VPN3000. Then un
> > > >encrypted traffic comes out of the VPN3000 and go back to other
subnet of
> > > >DMZ and go to PIX (same interface that IPSec bypassed) to WWW. The
VPN
> > > >client will be used is VPN3000 Cisco Client.
> > > >Does this work? Are there any security concerns or config concerns?
Any
> > > >input appreciated!!, Any sample configs for PIX?
> > > >
> > > >Take Care
> > > >
> > > >
> > > >|
> > > >|
> > > >|
> > > >Pix-----switch------router------VPN3000
> > > > | |
> > > > | |
> > > > | ---------------------------DHCP/Radius

This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:44:04 GMT-3