Ivan,
You are correct in that the VPN3015 does not currently have a stateful
firewall. It does support access control lists.
At this time there is no way to get through a VPN30xx concentrator other
than using one of the VPN clients. To date there have been no compromises
of that platform.
Or if you have the enough nics free put both vpn nics
behind the firewall.
exmple (firewall has 4 nics) outside, inside, dmz1 and
dmz2. hope the diagram comes out ok.
outside
|/ Outside vpn nic. (dmz1)
firewall
|\ Inside vpn nic. (dmz2)
inside
This way you can keep state of all
Bob,
You could do this but if you did you would have to configure the firewall
outside interface to pass VPN traffic. If you configure the firewall to
pass VPN traffic you lose the capability of using that outside firewall
interface to terminate site to site VPN connections. I like leaving
You could do this but if you did you would have to
configure the firewall
outside interface to pass VPN traffic.
yes, and no. yes i am passing vpn traffic, but its not
bound for the outside ip of the firewall, its bound
for the static NAT rule, which xlats the external to
the outside ip of
G'day,
I don't like the solution that loops the VPN traffic through the
firewall twice. I can't see any real security gain, and there is a big
complexity loss. If you were to use NAT, as bob suggested, then it's
even worse, because you have all the VPN / NAT issues. Yes, the Cisco
concentrators
Well i like the fact that you still only have one
access point, the firewall. You don't have to worry
about the upstream router having a correct
access-list. (deny anything, but ipsec traffic to and
from the vpn). I can see where this goes totaly
against K.I.S.S. but i still really like it.
