I have found it easier, and perhaps easier to audit, if you have the VPN box reside in parallel on the outside, but terminate the inside of the VPN box in one of your firewalls' DMZ sections.
This allows you to place firewall rules on all traffic coming through and report easily on them. It also keeps one DG for all traffic (if you presently only have your firewall). If you only have one firewall, it does introduce another single point of failure however. Symon -----Original Message----- From: Joseph Brunner [mailto:[EMAIL PROTECTED] Sent: 04 April 2003 19:13 To: [EMAIL PROTECTED] Subject: RE: VPN CONCENTRATOR Parallel FW [7:66819] No Read what the tunnel default gateway does... (from the concentrator page where you set it) "Enter the IP address of the default gateway or router for tunnels. Enter 0.0.0.0 for no default router." This is used to have a different gateway for IPSEC tunnels than for ip routing.. What we are discussing is how servers with two possible next hops, a pix and a vpn, will determine which to use for what subnets. The servers (defaulted to the pix) have to bypass it to speak to remote subnet (and use the concentrator instead). A common workaround (one I used to employ) was NT route add statements for each subnet that should "bypass" the pix, their default gateway, and use the Concentrator instead. A better and more scalable solution is to put a router between the concentrator and pix internal segment, and the servers. INBOUND For inbound internet and inbound ipsec tunnel traffic back, the pix and the vpn concentrator have a route to the "server's subnet" with the router as the next-hop. OUTBOUND Subnets reachable via vpn 3000 are routed to the vpn concentrator's private interface, a default route for Outbound Internet traffic is towards the pix. ============================================= This email has been content filtered and subject to spam filtering. If you consider this email is unsolicited please forward the email to [EMAIL PROTECTED] and request that the sender's domain be blocked from sending any further emails. ============================================= ===================================== Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66906&t=66819 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
