VPN Setup Advice

Hi Guys,

I would like some advice on which Cisco Equipment to use to create a good and fast and potentially redundant VPN implementation. The connection will be used to connect one LAN to another LAN by aggregating DSL lines on one LAN to come into a E1 connection on the other LAN.

The idea is to have good equipment and low latency caused by any network equipment and be secure to a normal standard like 3 DES.

I was thinking of having a PIX on the primary site and a VPN concentrator. Whats the advantage of having both. Would I then need both on the remote side too or could I get away with just a Pix on the remote side. I.E is there such a difference in using PIX alone, or with VPN accellerator cards, or with Concentrators. Also how do you aggregate DSL connections to use over this.

Thanks for the advice.
halcyoneAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
lrmooreConnect With a Mentor Commented:
One Q at a time:
>I was thinking of having a PIX on the primary site and a VPN concentrator. Whats the advantage of having both.
The CPN concentrator gives you much more flexibility in dealing with roving clients. You get Active Direcory or native NT authentication, fine granular control over the client, enforce policies, etc.

>Would I then need both on the remote side too or could I get away with just a Pix on the remote side.
For LAN-LAN it does not really buy you much over what you get with the PIX at no additional charge. I see no reason whatsoever to have both, especially  not at the remote location, unless you have a large contingent of individual VPN client users. 1 PIX on each end is all you really need.

>is there such a difference in using PIX alone, or with VPN accellerator cards, or with Concentrators.
The newest PIX's with "e" designator, such as 506E, 515E, are "Enhanced" with an onboard VPN accelerator. This offloads the IPSEC encryption processing to a daughter card instead of doing it all in software. Unless you have a significant number of simultaneous connections, you can do without and be just fine.

>Also how do you aggregate DSL connections to use over this.
Ah, there's the rub. A PIX can have one and only one default gateway, so putting 4 DSL modems out in front of it won't do you a lick of good.  The other issue is IP addressing. Your PIX can have only one public IP address assigned to it. Each of the DSL lines will provide its own IP public IP address. This is not an easy thing to overcome. You might want to look at some other product, such as the FatPipes VPN solution (big money):
http://www.fatpipeinc.com/mpvpn/

>create a good and fast and potentially redundant VPN
You might consider using a router to terminate all of your DSL connections instead of a PIX. This will give you the ultimate flexibility. Routers will give you many more routing options than will the PIX. You can get the IPSEC feature set for almost any router and still do your LAN-LAN VPN tunnel at 3DES or AES.  Or, you can have both a router and PIX. Terminate the VPN on the PIX regardless of which DSL line the request comes in on.
Either that, or reconsider using DSL and to with dual T1's or something. At least then you could use BGP. Load-sharing accross multiple Internet connections is what BGP does well.




0
 
halcyoneAuthor Commented:
Thanks, that was very helpful.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.