VPN pass thru benefits?

itdaddyitdaddy Senior MemberMember Posts: 2,089 ■■■■□□□□□□
hey guys
we have some vpns setup at work that are fwl vpn passthru and some not. but
the benefit of vpn passthru is ACL filtering (limiting what the vpn can do?)
but I am confused because the vpn is established thru the fwl but I am confused because how can a vpn be allow thru a fwl and be a IPSEC tunnel? I guess I
do not understand having a vpn hit your dmz an dthe go thru a asa 5510 and then
come out thru the vpn device and then have a lan side in a vpn? huh?

Comments

  • instant000instant000 Member Posts: 1,745
    itdaddy wrote: »
    hey guys
    we have some vpns setup at work that are fwl vpn passthru and some not. but
    the benefit of vpn passthru is ACL filtering (limiting what the vpn can do?)
    but I am confused because the vpn is established thru the fwl but I am confused because how can a vpn be allow thru a fwl and be a IPSEC tunnel? I guess I
    do not understand having a vpn hit your dmz an dthe go thru a asa 5510 and then
    come out thru the vpn device and then have a lan side in a vpn? huh?

    Good evening.

    I believe you asked this question before. I'm of the mindset that the VPN should be terminated outside the firewall. One of the main reasons I've seen people use for making VPNs go through firewalls is laziness. (They don't want to worry about filtering the traffic based upon all the ports and networks that the apps may need to work properly.) It also makes you less secure, as all that encrypted traffic is most definitely not inspected by the firewall. If you ever sniff that traffic, it should look like gibberish, which means that your firewall won't be able to inspect it.

    There is a balancing act.

    I believe Donahue said you could always get two out of three:
    1. Cheap
    2. Working
    3. Secure

    It seems that your setup has chosen 1 and 2. (Note that cheap doesn't necessarily mean just money, it could also mean time, and time costs money, too!)

    Since I've commented on this topic before, and voiced my opinion before, I don't want to sound like I'm beating you down about this. If you have specific questions about my response that you don't understand, please ask them. (Maybe I misunderstood you, for example, and am way off base.)

    Hope this helps!
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    I agree with instant. Unless there is a technical capability that is holding you back, terminate your vpn's at the firewall. Unless it is a SSLVPN to any cisco device. Then I would say stay the hell away from WebVPN POS trash. OMG it is awful.
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□
    instant000
    yeah dude I did ask this before but I could not find the thread. hahah sorry if I sound like a moron I am really not haha
    I am just learning so much stuff right now.. yeah the previous engineer made 2 contexts Internt, admin of course, and Private
    and has vpns going thru the firewall and I got to thinking why? and thanks for your response....sorry for asking too many times
    but sometimes I lose it hhhahaha LOL but thanks for you words of wisdome..(TRUE)icon_thumright.gif
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□

    Then I would say stay the hell away from WebVPN POS trash. OMG it is awful.


    haahha omg is that funny I will bud ahah ;)
Sign In or Register to comment.