Or if you have the enough nics free put both vpn nics behind the firewall.
exmple (firewall has 4 nics) outside, inside, dmz1 and dmz2. hope the diagram comes out ok. outside | / Outside vpn nic. (dmz1) firewall | \ Inside vpn nic. (dmz2) inside This way you can keep state of all connections, vpn connections to the outside nic, and connections comming from the VPN to the internal network. You can also filter to you harts delight. NOTE: you do need to make sure you are not using auth header (proto 51 i think) because of nating issues. just open proto 50 and udp 500 to the vpn. If you can't setup a routable ip on the vpn's outside nic, then setup a static NAT from the outside to the vpn's outside nic. Also note that you will need to do NAT on the vpn to give a path for the internal network to route back though the vpn for remote user. just a thought... --- Brian Ford <[EMAIL PROTECTED]> wrote: > Ivan, > > You are correct in that the VPN3015 does not > currently have a stateful > firewall. It does support access control lists. > > At this time there is no way to get through a > VPN30xx concentrator other > than using one of the VPN clients. To date there > have been no compromises > of that platform. > > I would suggest you look at installing the VPN3015 > concentrator on a > perimeter network off your existing firewall. That > way the 3015 can be > accessed by VPN clients on the Internet via it's own > public IP > address. Any attempts to get through the > concentrator would need to pass > through the firewall, so you can enforce policy on > anything that comes > through the concentrator. > > Liberty for All, > > Brian > > At 10:11 AM 10/16/2001 -0700, Ivan Lopez, TRI wrote: > >Message: 11 > >From: "Ivan Lopez, TRI" <[EMAIL PROTECTED]> > >To: [EMAIL PROTECTED] > >Subject: CISCO VPN CONCENTRATOR, USE BEHIND A > FIREWALL? > >Date: Tue, 16 Oct 2001 11:04:46 -0400 > > > >We recently bought a Cisco VPN Concentrator 3015. > >We've been told that since it does not have > firewall capabilityes, it is > >Not safe to have it's outside interface on the > Internet Side. > >Is that true? Do we need to put a firewall in front > of it? > >In that case, wich ports need to be open? > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls __________________________________________________ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
