[vpn] RE: VPN Setup

Pete Davis pete at ether.net
Mon Dec 31 13:53:13 EST 2001

In general for this type of configuration, you would put the VPN3000 off
the FW1 on the public interface and off the private network for the private
interface.  For remote access usesr, you would either assign addresses using
DHCP or an address pools.  For same subnet addresses, the Concentrator will
proxy ARP for these addresses.  If you are using an address pool on a 
different subnet, you would either need to announce this subnet with a routing
protocol (i.e. using Reverse Route Injection) or add a static route for this
subnet on your FW1 private side, pointing to the VPN 3000 private side

If the 7200 or FW1 are blocking traffic, they need to permit
the following protocols/ports to the VPN 3000
ESP (Protocol 50) inbound 
UDP (Port 500 destination) inbound
UDP (Port 10,000 destination) inbound [ only if you're using IPsec/UDP ]
TCP (port 10,000 or whatever ports you allow for IPsec/TCP)
Output, you would permit anything from the VPN3000 out.

The tunnel default gateway on your VPN3000 should point to the private interface
IP of the FW doing PAT (FW-1).

The Concentrator will need a routable private address either accomplished
by assigning a routable subnet to this FW-1 interface you have configured,
or by performing 1:1 NAT on your FW-1.  If you are using 1:1 NAT, you will
be unable to support the current version of the MS L2TP/IPsec client for
incoming remote access users.

Best Regards,

> We would like to put the Cisco VPN 3000 Gateway like this:
>            DMZ
>             |
>             |
> Private===FW1=====Catalyst2900==Cisco_Router_7200====Internet
>             |              |
>             |====VPN3000===|
> Questions:
> =========
> 1) Is this good solution (security, performance, .....)
> 2) FW1 is CheckPoint Firewall 1 with 4 interface (all are in different
> subnet):
>             -One connected to private Network
>             -One to Catalyst 2900
>             -One to DMZ
>             -One we like to connect it to VPN 3000
>       What did I need to open (rule) on FW-1 to make the VPN working.
> 3) What access-list I need to put on Cisco 7200 ?
> Private: Catalyst 5500 + RSM
> VPN Gateway: Cisco VPN 3000 (Software Version 3.5)
> FW-1: Checkpoint FW-1 ver. 4.1 SP2
> Router: Cisco Router 7200 (version 12.X)
> VPN Client: Software Client / Hardware client 3002 (Software Version 3.5)
> Thanks
> _________________________________________________________________
> Send and receive Hotmail on your mobile device: http://mobile.msn.com
> VPN is sponsored by SecurityFocus.com

     Pete Davis - Product Manager <psd at cisco.com>  (508) 541-7300 x6154
         Cisco Systems, Inc.  - 38 Forge Park   Franklin, MA 02038

VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list