We recently bought a Cisco VPN Concentrator 3015.
We've been told that since it does not have firewall capabilityes, it is
Not safe to have it's outside interface on the Internet Side.
Is that true? Do we need to put a firewall in front of it?
In that case, wich ports need to be open?
This
the firewall, so you can enforce policy on anything that comes
through the concentrator.
Liberty for All,
Brian
At 10:11 AM 10/16/2001 -0700, Ivan Lopez, TRI wrote:
Message: 11
From: Ivan Lopez, TRI [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: CISCO VPN CONCENTRATOR, USE BEHIND A FIREWALL?
Date: Tue
: CISCO VPN CONCENTRATOR, USE BEHIND A
FIREWALL?
Date: Tue, 16 Oct 2001 11:04:46 -0400
We recently bought a Cisco VPN Concentrator 3015.
We've been told that since it does not have
firewall capabilityes, it is
Not safe to have it's outside interface on the
Internet Side.
Is that true? Do we
: CISCO VPN CONCENTRATOR, USE BEHIND A
FIREWALL?
Date: Tue, 16 Oct 2001 11:04:46 -0400
We recently bought a Cisco VPN Concentrator 3015.
We've been told that since it does not have
firewall capabilityes, it is
Not safe to have it's outside interface on the
Internet Side.
Is that true
You could do this but if you did you would have to
configure the firewall
outside interface to pass VPN traffic.
yes, and no. yes i am passing vpn traffic, but its not
bound for the outside ip of the firewall, its bound
for the static NAT rule, which xlats the external to
the outside ip of
G'day,
I don't like the solution that loops the VPN traffic through the
firewall twice. I can't see any real security gain, and there is a big
complexity loss. If you were to use NAT, as bob suggested, then it's
even worse, because you have all the VPN / NAT issues. Yes, the Cisco
concentrators
Well i like the fact that you still only have one
access point, the firewall. You don't have to worry
about the upstream router having a correct
access-list. (deny anything, but ipsec traffic to and
from the vpn). I can see where this goes totaly
against K.I.S.S. but i still really like it.