Solved

VPN Setup Advice

Posted on 2004-09-20
2
234 Views
Last Modified: 2011-09-20
Hi Guys,

I would like some advice on which Cisco Equipment to use to create a good and fast and potentially redundant VPN implementation. The connection will be used to connect one LAN to another LAN by aggregating DSL lines on one LAN to come into a E1 connection on the other LAN.

The idea is to have good equipment and low latency caused by any network equipment and be secure to a normal standard like 3 DES.

I was thinking of having a PIX on the primary site and a VPN concentrator. Whats the advantage of having both. Would I then need both on the remote side too or could I get away with just a Pix on the remote side. I.E is there such a difference in using PIX alone, or with VPN accellerator cards, or with Concentrators. Also how do you aggregate DSL connections to use over this.

Thanks for the advice.
0
Comment
Question by:halcyone
2 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 12105432
One Q at a time:
>I was thinking of having a PIX on the primary site and a VPN concentrator. Whats the advantage of having both.
The CPN concentrator gives you much more flexibility in dealing with roving clients. You get Active Direcory or native NT authentication, fine granular control over the client, enforce policies, etc.

>Would I then need both on the remote side too or could I get away with just a Pix on the remote side.
For LAN-LAN it does not really buy you much over what you get with the PIX at no additional charge. I see no reason whatsoever to have both, especially  not at the remote location, unless you have a large contingent of individual VPN client users. 1 PIX on each end is all you really need.

>is there such a difference in using PIX alone, or with VPN accellerator cards, or with Concentrators.
The newest PIX's with "e" designator, such as 506E, 515E, are "Enhanced" with an onboard VPN accelerator. This offloads the IPSEC encryption processing to a daughter card instead of doing it all in software. Unless you have a significant number of simultaneous connections, you can do without and be just fine.

>Also how do you aggregate DSL connections to use over this.
Ah, there's the rub. A PIX can have one and only one default gateway, so putting 4 DSL modems out in front of it won't do you a lick of good.  The other issue is IP addressing. Your PIX can have only one public IP address assigned to it. Each of the DSL lines will provide its own IP public IP address. This is not an easy thing to overcome. You might want to look at some other product, such as the FatPipes VPN solution (big money):
http://www.fatpipeinc.com/mpvpn/

>create a good and fast and potentially redundant VPN
You might consider using a router to terminate all of your DSL connections instead of a PIX. This will give you the ultimate flexibility. Routers will give you many more routing options than will the PIX. You can get the IPSEC feature set for almost any router and still do your LAN-LAN VPN tunnel at 3DES or AES.  Or, you can have both a router and PIX. Terminate the VPN on the PIX regardless of which DSL line the request comes in on.
Either that, or reconsider using DSL and to with dual T1's or something. At least then you could use BGP. Load-sharing accross multiple Internet connections is what BGP does well.




0
 

Author Comment

by:halcyone
ID: 12121286
Thanks, that was very helpful.
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA5508-X vs Barracuda X200 2 72
VPN doubts 4 79
Remote site access to DMZ via Site-to-Site (L2L) VPN - Cisco ASA 3 61
sonicwall content filter on vpn 13 42
Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question