VPN solution question: Pix or 2600?

[OmegaLS]

I currently have an outsourced VPN solution that was in place before I got here which I want to swap out. I am wondering what would be my best choice here for hardware for this. I have worked w/ the Cisco Pix before and feel pretty comfortable in it, but my director was saying something about that a 2600 has an addon for VPN/Firewall, I am not sure on this however. Our current needs are very basic, w/ just needing the VPN connection. But I think we want to take into consideration that some of our sites have DSL currently and we might want to upgrade those to T1's, so having a device that can be both our router and VPN/Firewall solution would be benifical. I have only worked w/ the Pix 515 and 520 really so I am not too sure what the capabilities of the 506 is. Any insight you guys have on this would be helpful.

Thanks
Omid

 

[jpm121]

The PIX isn't a router, so you might be better off with VPN over the router. Make sure to plan in enough capacity, though, for future growth. Nothing worse than putting a year old $3,000 router on eBay for pennies on the dollar.

 

[valarian]

OmegaLS, am I right, you're talking about choosing the hardware for a VPN site-to-site hub location?
When choosing between the PIX and a C2600 with fireall/VPN feature set, I would prefer the PIX, since it is designed as a firewall. But of course there are some drawbacks when using a PIX for this (limited interface-types available).
I'm not a friend of putting too many different functions into one box (that what Cisco likes me for ;-)). If I was to set up a network for terminating several site-to-site VPNs I would do it like this:
Put a router (like the C2600) directly at the end of your Internet access. This one terminates your VPN connections. For security I would disable remote access to this router, except snmp read for network monitoring. For managing the router there should be a terminal server where you can patch the console or aux port onto. You could even use the aux port of another, physically near-by router with reverse telnet (you can find things on this in the FAQ).
Behind the router I'd place a PIX that evaluates any incoming traffic including the decrypted VPN traffic from your remote sites.

If my setup is too expensive (it IS indeed most of the time). I'd prefer the PIX, because it's main issue should be to protect your intranetfrom the internet. VPN termination is "just" the secondary functionality.
Mike

 

[lgarner]

The 506 is basically the same as the 515 and higher, except for its capacity and lack of failover capability. It supports only two interfaces.

I agree that the best solution is: router<->pix<->router or L3 switch.

Remember, you can't connect a T1 to a Pix. It's ethernet-only. Also, until verison 7 (as I understand it) you can't "hairpin" connections. Meaning simply that you must create a full-mesh VPN network in order for each site to see each other.

You might also look at the new 3800 Integrated Services devices, which seem poised to replace both routers and Pixes in the future.