Doubts about firewall Cisco PIX as VPN termination device

Graeme Rider Graeme.Rider at COLESMYER.COM.AU
Wed Jan 17 15:57:08 EST 2001 can terminate a VPN connection on the firewall but:
	1.	a VPN connection is CPU and memory hungry
	2.	it is not good practice to do so as any compromise of a VPN
connection can also compromise the friewall
best practices is to pass the vpn connection through the firewall onto an
endpoint on a seperate subnet, then pass the connection back through the
firewall to allow you to limit where they go....
graeme rider

-----Original Message-----
From: Venicio Vilas-Bôas [mailto:venicio_boas at BR.SCHINDLER.COM]
Sent: Wednesday, 17 January 2001 22:51
Subject: Doubts about firewall Cisco PIX as VPN termination device

     We have a firewall Cisco PIX. We would like to implement remote
access. I read at FAQs that " by doing VPN on an existing firewall, you add
some intense processing to a device whose original purpose was simply
speaking, to control network access" and I also read that " because of
security reasons we don't recommend to use the PIX as VPN termination
device"  Then  I have some doubts:

1 ) Can I use or not firewall Cisco PIX as VPN termination device ? What is
the security reasons for not using firewall Cisco PIX as a VPN termination
device ?

2) How many VPN sessions a firewall Cisco PIX support ?

3 ) I have a documentation from Cisco denominated "An introduction to IP
Security (IPSec) Encryption" , which shows how configure firewall IKE. This
documentation permits configure ISAKMP SA using pre-shared Keys or CA. I
would like to know  whether this documentation is enough for configure
firewall Cisco PIX  as a VPN trermination device or I need another
documentation ?

4 ) What differences among using firewall Cisco PIX and Cisco CVPN 3005 as
VPN termination devices?

I am look forward to hearing from you and thank you in advance for your


VPN is sponsored by SecurityFocus.COM

This email and any attachments may contain privileged and
confidential information and are intended for the named
addressee only.  If you have received this e-mail in error,
please notify the sender and delete this e-mail immediately.
Any confidentiality, privilege or copyright is not waived or
lost because this e-mail has been sent to you in error.  It
is your responsibility to check this e-mail and any
attachments for viruses.

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list