VPN+DMZ+FWL standard practice

itdaddy

Hey guys, I need you guidance.

I have vpn devices and I see some were set to be directed through the fwl (asa 5510)
and some of course hit the dmz and then the LAN side of the vpn device got plugged into the
LAN side no direct routing through the ASA. Which is standard practice. I kind of like
the direct routing through the fwl. Not because it can scan it because obviously it cannot scan vpn traffic the the complex routing thru the fwl directing it the exact LAN next hop host you know what I mean vs having it plugged in to the entire LAN subnet for it to maybe if gotten hacked can go anywhere on the network. having it go thru fwl and be directed is that the better option when having vpn device configured into your network off the DMZ?

what is the best way and most secure? and any examples documenation out there by chance?

shodown

Design Zone for Security - Cisco Systems

This is the link to the cisco design zone for security. You can find out where you fit in there. They have a but ton of information which you can decide best how to setup your network. THey have examples and lots of config. The only problem is they want you to do it all the cisco way, but none the less you can get a good start from here

itdaddy

wow shodown that is a lot of research will look around, but thought maybe what is best practice. I like the fact that if going through firewall I have control as to where it goes directly too only..vs giving it a LAN ip and letting access and entire subnet...thanks

Bl8ckr0uter

Can you post a visio of your idea?

itdaddy

let me get back with you on a visio I have to get one together for work so i can explain myself to a ccie that is coming into my work
but yeah will do...