|
|
This chapter describes how to use the Ethernet ports, set an IPsec gateway, and configure a firewall to allow VPN traffic. VPN traffic consists of IPsec packets, but not normal IP traffic, including routing updates.
You can place the VPN 5001 concentrator behind your firewall using one Ethernet port, or you can place the concentrator in parallel with the firewall, with one port in front and one port behind. The following sections describe how to use each configuration.
When you use both Ethernet ports, Ethernet 1 is a VPN-only port. The VPN-only port accepts secure VPN traffic, so you can place this port in front of the firewall and still maintain security. Ethernet 0 connects to the network behind the firewall, as shown in Figure 4-1.
Use a VPN-only port in conjunction with the IPsec gateway, as described in the "Identifying an IPsec Gateway for Ethernet 1" section.
 |
Note The VPN-only port can respond to certain ICMP requests, such as ping and traceroute. |
If you do not have a second Ethernet network in front of the firewall, connect Ethernet 0 to the network behind the firewall and leave Ethernet 1 unconnected, as shown in Figure 4-2.
Identify the Internet gateway address where you want the concentrator to send all VPN traffic from the VPN-only port, Ethernet 1. This router IP address is called the IPsec gateway and must be on the same subnet as Ethernet 1. You can only specify one IPsec gateway for the concentrator.
Follow these steps to identify the IPsec gateway:
| Command | Purpose | |
|---|---|---|
Step 1 | configure General | Allows you to configure the General section. |
Step 2 | IPsecGateway = IP_Address | Where the IP_Address is the router address where you want to send all VPN traffic. |
If you are using only Ethernet 0 behind a firewall, configure the firewall to allow VPN packets for the following tunnel types:
See the guide that came with your firewall for configuration information.
Posted: Wed Sep 27 10:14:24 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.