RE: vpn end-point

["Claussen, Ken" <Ken () kccweb com>]

If possible I would end the VPN tunnel on the (edge) Router and then
pass the traffic through the firewall. This provides the ability to
setup rules for specific protocols/ports much more easily. If
terminating to a Pix firewall it becomes difficult to create access
lists for your VPN traffic. We used to dedicate one DMZ off the Pix for
the VPN traffic at a previous employer. This is easy if your Edge router
has an extra Ethernet port. Choose an RFC 1918 address range and create
a transit network between the router and the DMZ interface. Add a route
on the Edge router for the VPN traffic and setup firewall rules, voila.
This is assuming you can get a Triple DES image for your router and it
has the horsepower to handle the encryption/decryption. This will use a
LOT of CPU on the termination point. Usually Edge routers have more
available resources than firewalls in my experience. HTH.
Ken

-----Original Message-----
From: Shimon Silberschlag [mailto:shimons () bll co il] 
Sent: Wednesday, March 17, 2004 10:23 AM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] vpn end-point


Having to design multiple branches to main offices VPN, with the
building block on the branch side limited to a router and a firewall,
what would be your choice of ending the VPN tunnel, on the router or on
the firewall?

Shimon Silberschlag

+972-3-9351572
+972-51-207130

_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards