Solved

VPN Setup Advice

Posted on 2004-09-20
2
236 Views
Last Modified: 2011-09-20
Hi Guys,

I would like some advice on which Cisco Equipment to use to create a good and fast and potentially redundant VPN implementation. The connection will be used to connect one LAN to another LAN by aggregating DSL lines on one LAN to come into a E1 connection on the other LAN.

The idea is to have good equipment and low latency caused by any network equipment and be secure to a normal standard like 3 DES.

I was thinking of having a PIX on the primary site and a VPN concentrator. Whats the advantage of having both. Would I then need both on the remote side too or could I get away with just a Pix on the remote side. I.E is there such a difference in using PIX alone, or with VPN accellerator cards, or with Concentrators. Also how do you aggregate DSL connections to use over this.

Thanks for the advice.
0
Comment
Question by:halcyone
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 12105432
One Q at a time:
>I was thinking of having a PIX on the primary site and a VPN concentrator. Whats the advantage of having both.
The CPN concentrator gives you much more flexibility in dealing with roving clients. You get Active Direcory or native NT authentication, fine granular control over the client, enforce policies, etc.

>Would I then need both on the remote side too or could I get away with just a Pix on the remote side.
For LAN-LAN it does not really buy you much over what you get with the PIX at no additional charge. I see no reason whatsoever to have both, especially  not at the remote location, unless you have a large contingent of individual VPN client users. 1 PIX on each end is all you really need.

>is there such a difference in using PIX alone, or with VPN accellerator cards, or with Concentrators.
The newest PIX's with "e" designator, such as 506E, 515E, are "Enhanced" with an onboard VPN accelerator. This offloads the IPSEC encryption processing to a daughter card instead of doing it all in software. Unless you have a significant number of simultaneous connections, you can do without and be just fine.

>Also how do you aggregate DSL connections to use over this.
Ah, there's the rub. A PIX can have one and only one default gateway, so putting 4 DSL modems out in front of it won't do you a lick of good.  The other issue is IP addressing. Your PIX can have only one public IP address assigned to it. Each of the DSL lines will provide its own IP public IP address. This is not an easy thing to overcome. You might want to look at some other product, such as the FatPipes VPN solution (big money):
http://www.fatpipeinc.com/mpvpn/

>create a good and fast and potentially redundant VPN
You might consider using a router to terminate all of your DSL connections instead of a PIX. This will give you the ultimate flexibility. Routers will give you many more routing options than will the PIX. You can get the IPSEC feature set for almost any router and still do your LAN-LAN VPN tunnel at 3DES or AES.  Or, you can have both a router and PIX. Terminate the VPN on the PIX regardless of which DSL line the request comes in on.
Either that, or reconsider using DSL and to with dual T1's or something. At least then you could use BGP. Load-sharing accross multiple Internet connections is what BGP does well.




0
 

Author Comment

by:halcyone
ID: 12121286
Thanks, that was very helpful.
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Do you have an old router lying around the house that you don’t know what to do with? Check the make and model, then refer to either of these links to see if its compatible. http://www.dd-wrt.com/site/support/router-database http://www.dd-wrt.c…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question