Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX VPN capabilities?

Status
Not open for further replies.
dkraut

dkraut

IS-IT--Management
Feb 5, 2003
75
US
I was just given the go ahead to spec out, purchase and put in place a global network infrastructure for several new offices around the globe. These offices will all need to talk to each other through Internet based VPN channels. Cisco is the preferred vendor for accomplishing this task. We will be using T1 or E1 connections to the Internet at each location. In reading over the various Cisco literature, I’m a little confused over why someone would use a VPN concentrator in addition to a PIX 515 or 525? Since the PIX will do both branch office and client VPN connections, what does a device like the Cisco 3000 VPN concentrator buy you?
 
Sort by date Sort by votes
A VPN Concentrator is recommended if you are planning to run a lot of VPN tunnels (site-to-site and remote access), specially if you have a lot of users connecting to the network using a VPN client. If you plan to run only a few tunnels then a PIX should do the job, just make sure it has a VPN hardware encryption card to release the CPU from the burdens of encryption/decryption. On a plus side, the VPN concentrator is really easy to configure and it is very intuitive. Most importantly, you can have a true hub and spoke configuration where the spokes are able to talk to each other through the VPN tunnel, this is not possible with PIX firewalls where the spokes will only be able to talk to the hub. If you want spoke to spoke communication using PIX firewalls you will need a fully meshed topology.
 
Upvote 0 Downvote
thanks for the info...

I'm a little confused about your hub and spoke comments. Are you saying that in an all PIX config (No VPN concentrator), that site 1 for example would only be able to connect to 1 other site and not the other 5 sites? or can the PIX create a tunnel to all 6 sites? I do want each site to have the ability to communicate with all other sites.
 
Upvote 0 Downvote
In a hub and spoke configuration you configure tunnels from the spokes to the hub and then you can communicate spoke-to-spoke through the hub. However this is not possible on the PIX... you need to configure a fully meshed VPN network, that means tunnels from spokes to hub and from spokes to spokes. If you do not want to configure a fully meshed network and be able to communicate between spokes you need either a router or VPN concentrator to end the tunnels.
 
Upvote 0 Downvote
Gotcha...

which leads me to my alternative solution. After poking around the Cisco site, I just learned that most of their routers now have the ability to perform integrated firewall and VPN all in one box! Now that sounds like a winning combination to me! Any caveats to simply installing Cisco 1721's at all sites with the integrated firewall and VPN module? Again, all sites will have T1 to the Internet and 50 or less users. There will also be a small roaming sales force of approximately 50 users that will need to connect periodically to grab email, etc. THX!!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
654
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
233
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
799
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
181
WhosYourDiffie
WhosYourDiffie
ITSUPPORTIT
  • Locked
  • Question
VPN from ASA 5510 and RV215W problem
Replies
0
Views
160
ITSUPPORTIT
ITSUPPORTIT

Part and Inventory Search

Sponsor

Back
Top