Large VPN PIX to PIX question

Posted on 2002-04-30
Last Modified: 2010-04-17
I run a network for a large Healthcare org. We are looking to move alot of our smaller sites (50-100 users) to a VPN using a PIX to PIX VPN solution.

We will use a 515 for the central site and 506's for remote's. We will push a Practice Management Software Program to each remote.

We will also push MS Office, Email, and a small database program to a few sites.

We will be running Citrix XPe accross four Quad Xeon servers running 2000 server.Plus several similar servers running the apps.

We will have a DS-3 at the central site with a cir of 4 mb but will burst.

Each center will be responsible for internet connection.

My Question is more of a request for results.Does anyone have any experience with this type of infrastructure and if so with what results.

I will let this question ride for awhile and will reward points based on detail and similar experience

Thank you very much for any input

Question by:slotz
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
LVL 79

Accepted Solution

lrmoore earned 200 total points
ID: 6983156
I have setup very similar configuration with 515 at central site (2xT1) and 506's at remotes (10 remotes), 3DES VPN's between them.

Some issues that I would consider:
1. Is the 515 your main firewall, or just for the VPN's? With your bandwidth and the horsepower of your servers, I might consider the bigger 525.
2. At the remotes, the 506 is not really designed for 100 user offices. That is really the realm of the 515 and the new 515E that has a better encryption chip just for VPN's.
3. Considering the amount of traffic that you intend to push to the remotes, and the use of the Citrix, I think your choice of 515/506 are underpowered and you will have performanace issues. When you push large amounts of data, i.e. sofware updates, with every packet encrypted, it will bring that 506 to its knees.
4. How many remotes sites, and will they have a requirement to talk directly to each other? If you need fully meshed routing, you might consider a VPN router at the core vs the PIX.
5. Consider failover and redundency. You don't get an SLA with a VPN. Consider a PIX failover pair at the core site?

I have consulted with several large health care organizations, each with their own unique set of requirements and business models, so I understand some of your concerns.
LVL 79

Expert Comment

ID: 6983160
BTW, with Cisco's recent price drops, you can get a new 515E for around $2500. The 506 lists for $1950. The performance difference is huge considering the incremental increase in cost.

Expert Comment

ID: 6983179
In addition to lrmoore's excellent comments -

My primary job is in an all Citrix environment.  Have you done much testing with how Citrix will perform over the VPN?  I can tell you that it is not always as good as expected - depending on how you do it.  You never mentioned what the remote offices will be using for links to the Internet.  When I came to this company they were in the middle of deploying DSL and VPN's to our smaller sites.  We had about a dozen when I started.  We don't have any now.  Primarily, this is due to hassles with finding a good DSL vendor, but basically the lack of SLA's on DSL and the Internet in general can create a less than desirable Citrix experience.  Also, if these Internet connections will be used outside of the Citrix session, you will probably want to start putting traffic policies on the routers to give precedence to Citrix traffic.  We do this anyway on our normal WAN sites, but QoS becomes a nightmare when the Internet is involved because you have to work it on both ends and you still have an non-guaranteed middle.  It can take a lot of work to get this right.

My biggest advice is to not rush into a large scale deployment.  See if there is any way you can do a pilot site or two before buying all the hardware and signing contracts on large links.  Find out if there are any existing connections you can use and see if there is any hardware you can get from the vendor for testing.  If you are looking at buying enough, many vendors will let you "borrow" some hardware for a while.  Maybe you can buy just a couple smaller PIX's for both ends for testing.  If it all works out you can move these to the branch offices and buy the larger PIX for the central site.

One more comment - any particular reason you are going with the PIX on the corporate end?  I would think a dedicated VPN concentrator would be more suited for this job.  The PIX is more of a firewall with VPN capability than vice-versa.  For a specific VPN rollout, I would be looking for the opposite.

Hope that is of some help!
LVL 79

Expert Comment

ID: 6986466
scraig84, I would like to contact you off-line regarding a Citrix environment with performance issues over a frame WAN...


Author Comment

ID: 7029986
Thank you for your comments irmoore and  scraig84 I'm going to award the points to irmoore. I would split them between the two of you if I new a way to do so.


Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question