1. Understanding Pix firewall VPN Topologies
The PIX Firewall enables VPNs in several topologies as illustrated in the figure:
• PIX to PIX secure VPN gateway—Two or more PIX Firewalls can enable a VPN, which secures traffic from devices behind the PIX Firewalls. The secure VPN gateway topology prevents the user from having to implement VPN devices or software inside the network, making the secure gateway transparent to users.
• PIX to Cisco IOS router secure VPN gateway—The PIX Firewall and Cisco router, running Cisco Secure VPN software, can interoperate to create a secure VPN gateway between networks.
• Cisco Secure VPN Client to PIX via dialup—The PIX Firewall can become a VPN endpoint for the Cisco Secure VPN Client over a dialup network. The dialup network can consist of ISDN, public switched telephone network (analog modem), or digital subscriber line communication channels.
• Cisco Secure VPN Client to PIX via network—The PIX Firewall can become a VPN endpoint for the Cisco Secure VPN Client over an IP network.
• Other vendor products to PIX—Products from other vendors can connect to the PIX Firewall if they conform to open VPN standards.
A VPN itself can be constructed in a number of scenarios. The most common are:
• Internet VPN—A private communications channel over the public access Internet. This type of VPN can be divided into:
• Connecting remote offices across the Internet.
• Connecting remote dial users to their home gateway via an ISP (sometimes called a VPDN, Virtual Private Dial Network).
• Intranet VPN—A private communication channel within an enterprise or organization that may or may not involve traffic traversing a WAN.
• Extranet VPN—A private communication channel between two or more separate entities that may involve data traversing the Internet or some other WAN.
In all cases the VPN or tunnel consists of two endpoints that may be represented by PIX Firewalls, Cisco routers, individual client workstations running the Cisco Secure VPN Client, or other vendors’ VPN products that conform to open standards..
 Attachments
|
| Author: miguel lopez 23 Dec 2008 | Member Level: Bronze Points : 2 |
Nice article. Could you explain if you are able to If you're use a PIX firewall as both your firewall and VPN endpoint and if so how? what I need to do is terminate a vpn tunnel on a pix firewall and also limit the incoming traffice to specific hosts on a seperate acl that is not the intresting traffic acl of the vpn tunnel. for example: I want to allow users from 192.168.1.0 255.255.255.0 to access and internal host of 10.10.10.1 but they will need to use an external IP of 206.83.198.10 and that will have a static entry to 10.10.10.1 the real address of the internal host. Is it possible to have have two acls one for the intresting traffic and only allowing more specific ports to internal resources. thanks in advance.
Miguel
|