CISCO PIX vs. VPN Concentrator 1

[iwat]

Our company currently uses CISCO PIX firewalls on both our internal network and website.

We have an outside IS service provider engaged to set up a VPN on our internal network. That provider is recommending that we purchase a CISCO VPN Concentrator 3015 for our VPN solution.

We are a small company ~50 employees and cost conscious. Do we really need to purchase a $10,000 concentrator to implement a reliable VPN?

Cisco literature indidates that we can use our PIX for a VPN.

I need an informed, second opionion on this matter.

If you had a client company of our size with existing PIX firewalls who wants VPN, what would you recommend? If we can use the PIX firewall, what additional h/w s/w purchases would we need to make to get a VPN up and running.

All input appreciated.

 

[webnetwiz]

The number of concurrent VPN sessions depends on the model of your PIX firewall and it's OS version. Here's what I can tell you for sure:
1. You can most certainly run your entire VPN on PIX. The issue could be the VPN client (VPN 3000 or Secure 1.1).
2. Models 515 and up can accept a PCI VPN Accelerator card which can boost the number of concurrent VPN sessions to thousands (Cheaper than the VPN Concentrator).
3. Make sure all of your PIX'es have a recent major release of OS, and have enough RAM if you want to use them to terminate the tunnel.

I have more than 100 users, plus servers, etc, and I am doing a LAN-to-LAN VPN, remote client VPN, all using a single PIX 515.

Hope this helps, if you have any other questions. post them.

David.

 

[Guest_imported]

We have a VPN between our 3 remote offices using the PIX 506 and our main office using the PIX 515. Everything works extremely well. The remote offices have about 10 users and the main office about 60 users. I have contacted Cisco before we put the VPN in place and they gave me the OK. We also have remote users establishing a VPN with the remote office.

I highly recommend an upgrade to the PIX 6 OS since it support Cisco VPN Client 3.x, which is required if your users have Windows 2000 systems. Also with OS 6 and client 3.x you can pass network information such as DNS and WINS servers to the client, which you could not before.

 

[8dstaicu]

I have 200+ clients connecting to internal network using VPN with Pix 515.
Pix it's version 6.0.1.
I deploy VPN Client 3.
I also use xauth with Cisco Secure ACS 2.6.
I have 3 king of clients with different access rights.
I made a distinction between my clients based on username and password.
When a user log in, he get the right to access a server or another server, a group of servers, or the entire network, based on profile that I configured on Cisco ACS.
Cisco doesn't document this feature for Pix; only for VPN Concentrator.
But this can be made with Pix, and it works perfect.
A good configured Pix can easely replace a VPN Concentrator if the needed trouput it's not too big. And if it's a big one you can buy a VPN Accelerator Card.
I think Cisco want, in the future, to replace VPN Concentrator with a combination of Pix with Cisco Secure ACS.
Using different ipsec profiles you can connect to more that one remote peer using diiferent encryption settings.
So forget about VPN Concentrator. Dig more in Pix config and you can do whatever you want.

 

[berford]

It really depends on the requirements as you told your reseller.

The VPN concentrator has support for different groups of VPN users, the PIX does not.

The VPN concentrator uses these different groups to push down different policies based on group. PIX doesn't have that.

The setup GUI for VPN concentrator has been around for some time and is well developed. The PIX PDM GUI is great, but doesn't do VPNs.

Of course, the VPN concentrator is not a firewall.

 

[8dstaicu]

I understand your opinion.
I tought too.
But with [009\001] cisco-av-pair you can push diferent access-lists for every user group.
Of course: you can push diferent dns, wins, domains for every user group.
So every user group will have different access rights.
PDM looks good, but I think it's useless.
If Cisco will implement autocomplete with help in Pix CLI, like in routers it will be great.
So, dig the pix and you'll see a very good vnp concentrator hide in.

 

[Guest_imported]

Why wouldn't they suggest the VPN 3005 as a better fit?
The current street price is less than $2500 and supports 100 remote sessions. The latest IOS will allow two of these to connect together virtually and failover each other for 200 users ( when needed ). The 3015 seems a bad fit in my book and really the combination of 2 3005's is half the price of a 3015 and does more ======= Beyond that the VPN 3005 has a much better interface ( web based ) ( than a PIX )and a better manual ( written by authors before Cisco bought the company ) it now adds compression for small pipes as well, and can support remote offices as well as remote users with the 503 hardware VPN client ======= Cisco says it themselves, the PIX is a firewall if you need a firewall the VPN Consentrators are for VPN connections

 

[KRON]

In my environment, we currently run 8 pix 515 boxes. All of the pixen are connected to one central point, at are corporate office. I have never seen the pix have a problem as far as carrying the amount of traffic (not to mention the various types of connections) into our network. As well, the pix at the corp office also runs upto 250 vpn sessions at one time to dial up, dsl, vendor, and other remote connections. I would highly recommend going with the 515. Ok, I digress... What I was going to get to, without so many words, is that the pix runs great. There is really no need for the VPN Concentrator. I had a rep from cisco try to convince me to purchase one, and I pointed out that I could do twice as much, as well as harden the security of my network, with half the cost of one concentrator. I would say go with the pix. One last thing, make sure you have a person that knows (or perhaps yourself) how to deal with the pix. I have spent many nights perfecting the configuration of the pix, so be prepared. And Good Luck!

 

[meetesh]

Hello:

I have VPN established using MS PPTP (NT server). I wd like change over to a site-to-site (LAN-to-LAN) VPN and also allow remote users to VPN into either site. I have looked hard, and haven't found any easy step by tep procedures to implement this. From what I have read, my option is CISCO 3005 Concentrator. We have 15 users at each site and 5 mobile users.

Also, we have a third site overseas. Can we hook up a three way site-to-site VPN using CISCO 3005? Or any other method?

TIA,
Meetesh.