Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations John Tel on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN Concentrator 3000 - pros and cons

Status
Not open for further replies.

hellboy101

Programmer
Aug 31, 2005
247
US
Hello all-

I'm looking into purchasing a VPN Concentrator 3000, probably the VPN 3015 model for it's cost benefit primarily. Could anyone steer direction at all in what my benefits would be in using this product for VPN connections instead of just creating VPN groups on the PIX? With that said, would I configure it to sit in behind the PIX for managing VPN IPSEC traffic?

thanks, I'm currently on the Cisco site researching the heck out of this product but would always learn more from the pros that have used this device in the field

thanks for any support
hb101
 
No load on the router. VPNs are CPU intensive to put it mildly. Keeping routing and VPNs apart. Use of SSL VPN connections or using client. Extensive use of groups and permissions on the concentrator.

I run a 3005 and a 3020 with good results from both.

MikeS

Home of the book "Network Security Using Linux"
 
thanks MikeS,

So a concentrator makes good sense then. Excellent, I have a PIX 515E, how does the Concentrator affect this device? Would is work behind the PIX or in front? Any ideas?

thx hb101
 
hellboy101:

We have a 515. Had five site-to-site tunnels coming into it. Installed a 3005 and moved two of the tunnels to it with the intention of eventually moving the other three.

We have our router uplink directly to a switch, to which both the PIX-515 and the 3005 connect. So they're more or less "alongside" each other, moreso than one behind the other.

Though, when we did this, we were told we could do it the other way.

We used internet filtering software checked at the PIX and our VPN tunnels that terminate at the PIX weren't getting filtered since packets can't come in and go out on the same interface. So now the ones that come in on the 3005 go out through the PIX and get filtered.
 
You can have the concentrator facing where you wish. In this case, the concentrator faces the internet and then a firewall router on the backside. I would rather have a PIX or other "real" firewall there but budgets being what they are, you make do at times :)

A classic design is to put it on the DMZ port of the PIX/Firewall.

MikeS

Home of the book "Network Security Using Linux"
 
I hear ya wybnormal, that would be my main plan, I have a PIX and will end up doing just that. thanks everyone so much! It's time to make a purchase


hb101
 
You could always put it in the DMZ of the Pix while the backside of the concentrater points internally. That way you got protection on the front end. But then again the goal is to let mobile users to vpn in to the vpn device and hopefully your router is doing some screening before it hits the Pix or Concentrator. I think the concentrator is the way to go especially if you have a large amount of VPN Traffic. The Pix does do a good job of providing this capability though.
 
The newest concentrators have built in accelerators for VPN traffic. It really makes a difference on throughput if you have alot of VPN traffic.

Also, the newest SSL VPN client is pretty sweet. It's much more robust over crappy links than traditional IPsec clients and it is much more forgiving of badly configured security like coffee shop wireless.

MikeS

Home of the book "Network Security Using Linux"
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top