Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Large VPN PIX to PIX question

Posted on 2002-04-30
Medium Priority
Last Modified: 2010-04-17
I run a network for a large Healthcare org. We are looking to move alot of our smaller sites (50-100 users) to a VPN using a PIX to PIX VPN solution.

We will use a 515 for the central site and 506's for remote's. We will push a Practice Management Software Program to each remote.

We will also push MS Office, Email, and a small database program to a few sites.

We will be running Citrix XPe accross four Quad Xeon servers running 2000 server.Plus several similar servers running the apps.

We will have a DS-3 at the central site with a cir of 4 mb but will burst.

Each center will be responsible for internet connection.

My Question is more of a request for results.Does anyone have any experience with this type of infrastructure and if so with what results.

I will let this question ride for awhile and will reward points based on detail and similar experience

Thank you very much for any input

Question by:slotz
  • 3
LVL 79

Accepted Solution

lrmoore earned 800 total points
ID: 6983156
I have setup very similar configuration with 515 at central site (2xT1) and 506's at remotes (10 remotes), 3DES VPN's between them.

Some issues that I would consider:
1. Is the 515 your main firewall, or just for the VPN's? With your bandwidth and the horsepower of your servers, I might consider the bigger 525.
2. At the remotes, the 506 is not really designed for 100 user offices. That is really the realm of the 515 and the new 515E that has a better encryption chip just for VPN's.
3. Considering the amount of traffic that you intend to push to the remotes, and the use of the Citrix, I think your choice of 515/506 are underpowered and you will have performanace issues. When you push large amounts of data, i.e. sofware updates, with every packet encrypted, it will bring that 506 to its knees.
4. How many remotes sites, and will they have a requirement to talk directly to each other? If you need fully meshed routing, you might consider a VPN router at the core vs the PIX.
5. Consider failover and redundency. You don't get an SLA with a VPN. Consider a PIX failover pair at the core site?

I have consulted with several large health care organizations, each with their own unique set of requirements and business models, so I understand some of your concerns.
LVL 79

Expert Comment

ID: 6983160
BTW, with Cisco's recent price drops, you can get a new 515E for around $2500. The 506 lists for $1950. The performance difference is huge considering the incremental increase in cost.

Expert Comment

ID: 6983179
In addition to lrmoore's excellent comments -

My primary job is in an all Citrix environment.  Have you done much testing with how Citrix will perform over the VPN?  I can tell you that it is not always as good as expected - depending on how you do it.  You never mentioned what the remote offices will be using for links to the Internet.  When I came to this company they were in the middle of deploying DSL and VPN's to our smaller sites.  We had about a dozen when I started.  We don't have any now.  Primarily, this is due to hassles with finding a good DSL vendor, but basically the lack of SLA's on DSL and the Internet in general can create a less than desirable Citrix experience.  Also, if these Internet connections will be used outside of the Citrix session, you will probably want to start putting traffic policies on the routers to give precedence to Citrix traffic.  We do this anyway on our normal WAN sites, but QoS becomes a nightmare when the Internet is involved because you have to work it on both ends and you still have an non-guaranteed middle.  It can take a lot of work to get this right.

My biggest advice is to not rush into a large scale deployment.  See if there is any way you can do a pilot site or two before buying all the hardware and signing contracts on large links.  Find out if there are any existing connections you can use and see if there is any hardware you can get from the vendor for testing.  If you are looking at buying enough, many vendors will let you "borrow" some hardware for a while.  Maybe you can buy just a couple smaller PIX's for both ends for testing.  If it all works out you can move these to the branch offices and buy the larger PIX for the central site.

One more comment - any particular reason you are going with the PIX on the corporate end?  I would think a dedicated VPN concentrator would be more suited for this job.  The PIX is more of a firewall with VPN capability than vice-versa.  For a specific VPN rollout, I would be looking for the opposite.

Hope that is of some help!
LVL 79

Expert Comment

ID: 6986466
scraig84, I would like to contact you off-line regarding a Citrix environment with performance issues over a frame WAN...



Author Comment

ID: 7029986
Thank you for your comments irmoore and  scraig84 I'm going to award the points to irmoore. I would split them between the two of you if I new a way to do so.


Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question