PIX 515 VPN Solution Newbie questions

[mtndew9]

We have had a PIX 515 UR for quite some time and now upper management would like to know what is involved with going to a VPN solution for Remote users (approximately 75 users).

1. Can anybody tell me what is needed to get my users
authenticated with the NT domain?
2. Is a VPN Accelerator Card necessary?
3. Do I require a RADIUS Server? If so what options do I
have?
4. What Client software do I have to purchase?
a. Cisco Secure VPN Client 1.1
b. Cisco Secure VPN Client 3.5
5. Cisco DES is free but is 3DES a better option for $1000?


Thank you in advanced,
Chris

 

[routerman]

Chris,

First, what IOS is your PIX running?

The PIX without VPN accelerator should support about 10-15 concurrent tunnels, any more and your performance will br hit. With the accelerator board you should get more like 100 concurrent tunnels supported.

I use PIX 6.1 or 6.2 which supports the unified VPN client, 3.5 for either DES or 3DES tunnels.

This client supports the XAUTH facility, which will enable you to authenticate your users against you NT domain, and you dont need to use RADIUS, although its an option.

I recently installed this client, using RADIUS and the Xauth option to authenticate against a win2k server running IAS. This used RADIUS to authenticate the user against the NT account database.

3DES is better, but before you buy why not trial it using DES, once you have the basics working get the licence.

 

[mtndew9]

We just upgraded to PIX Version 6.2.2.

I noticed that the VPN accelerator card is list price $3700. Would it be better to look at a VPN Concentrator 3005 for $2900?

Any sample configurations would be great.

Thanks for the info.

 

[routerman]

Ouch! I didnt realise they were so costly.

The VPN 3005 according to its spec supports 100 concurrent users, as does the next one up, the 3015. However if your going to support about 75 remote users your approaching the top end of the capability of the 3005, thats assuming your talking about 75 users all connected at once. This also applies to the PIX accelerator card.

If your VPN requirement is going to grow, you may be better off looking at the 3015, as thats upgradeable, again I've no idea of the cost's involved. The upgrade module I believe converts the 3015 into a 3030, that supports 1500 concurrent tunnels. Far better than the PIX.

However I can say that I've used the 300x concentrator, its a pretty simple product to use, far more so than the CLI on the PIX.

 

[yizhar]

HI.

About the performance, you should consider not only number of concurent but also the expected amount of traffic and bandwidth they will generate, depending on ISP connections and type of applications in use.

Anyway, I suggest that you go for the VPN concentrator, or another dedicated VPN box. This is because it's not so easy to manage and control the VPN at the pix, and also to prevent overloading it.
With a VPN concentrator you can have more granular control and define access-lists per vpn group.

In any solution you are going to implement, you should consider the VPN access as another hole in your firewall, so you should try to limit control and audit VPN traffic. For example let them access only specific hosts and services, not the whole internal network.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar