This scenario, depicted in Figure 21-2, involves a typical Corporate Internet module from the medium-sized network design model.
| 1: | On the public interface of the edge router, allow IPSec traffic from the remote-site peers 10.10.1.1 and 10.10.2.1 (not shown). Also allow remote-access VPN traffic. |
| 2: | On the PIX Firewall, permit outside users access to the public services. Note that the public server, 10.1.3.2, appears publicly as 172.31.254.4 via static NAT on the PIX Firewall. |
| 3: | Allow only legitimate traffic from remote-access users to the public services segment. Note that the VPN concentrator is configured with a remote-access address pool of 192.168.1.1 to 192.168.1.254. |
| 4: | Allow remote-access user traffic to the Internet and internal network. |