?
Solved

How many NAT incoming connections can a Cisco VPN 3015 concentrator recieve simultaneously?

Posted on 2005-03-09
12
Medium Priority
?
652 Views
Last Modified: 2013-11-16
Hello

I have a specific question regarding the Cisco 3015 VPN concentrator.
I know it can handle 100 simultaneous incoming connections\Tunnels. But I have been asked how many connectoins it could receive with one NATted IP address coming in to the concentrator?.  Does each NAT connection still count as 1 or would it be infinite?

I had an answer of approx 65000 earlier but not sure if i worded the question correctly which I have hopefully done now

Thanks

Ian
0
Comment
Question by:clarkeyi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 3
  • +1
12 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13497380
Looks like 75 "clientless"

Cisco VPN 3015 Concentrator
The Cisco VPN 3015 Concentrator is designed for small- to medium-sized organizations with bandwidth requirements up to full-duplex T1/E1 (4 Mbps maximum performance), with support for up to 100 simultaneous IPSec sessions or 75 simultaneous clientless sessions. Like the Cisco VPN 3005, encryption processing is performed in software, but the Cisco VPN 3015 is also field-upgradable to the Cisco VPN 3030 and 3060 models.

From http://cisco.com/en/US/customer/products/hw/vpndevc/ps2284/products_data_sheet09186a00801d3b56.html
-rich
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13497529
I think that would be for all clientless connections, not just one nat'd address... cisco can be a pain about these things... I'm sure if you had 76 users all behind a nat, accessing the resource on the other end of your nat if that would count... I think it would...
To clarify

76 Client at company X connecting through the nat'd ip of 1.2.3.4
connecting to your concentrator nat of 4.3.2.1 (which would map over to some server on your lan like 10.1.1.1) once the 76th person tried to connect they'd have reached the maximum.
It keeps track with what is passing in/out of the concentrator to the lan, not how many IP's it sees coming in (which in this example would only be one ip)
-rich
0
 
LVL 10

Expert Comment

by:neteducation
ID: 13501496
Theoretically there is a limit at about 65'000. However the real limit is lower. You can't say an exact number, it's based on the load, the different connections use.

Basically to answer your question: It does not make any difference if the clients are coming in through NAT or not, you still have the same limits as before.
0
Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

 

Author Comment

by:clarkeyi
ID: 13501590
I am a bit confused. So does this mean the limit is still 100 or nearer 65000?

Cheers
0
 
LVL 10

Accepted Solution

by:
neteducation earned 652 total points
ID: 13501775
if users are doing nothing at all, the limit is 65000.
if the users are doing some work (transfering file, accessing databases and so on) the limit is 100

The limit is not technically implemented, it is the cpu the is doing encryption/decryption that can't handle more.

So for reality use 100 as the value
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 648 total points
ID: 13502024
I've found that cisco has hard coded the limits on concentrators. You can open a TAC case to see if they have any more offical offerings, but the literature I've found to be correct in the past with reguard to connection limits. We us 3030's and we've had this very issue.
For IPsec tunnles, even if you have multiple host's behind a nat, connecting to your concentrator, each ipsec tunnel is a session, therfore you can have only 100 ipsec connections, and the source IP does not matter, as there is an authentication method for each tunnel. I've just tried a little example here at home. I have my gateway pc, and another behind it, both are coming from the same ip, I can initiate two tunnels into work, and when I view the concentrator web page I see both sessions from the same source IP and they both count as individual connections.

A pix or router is better suited for doing plain old NAT and PAT functions.
-rich
0
 

Author Comment

by:clarkeyi
ID: 13504045
Thanks for the advice. I will stick to 100 as the limit.

Thanks

Ian
0
 

Author Comment

by:clarkeyi
ID: 13504050
Next question How do I split the point for richrumble and neteducation
0
 
LVL 10

Expert Comment

by:neteducation
ID: 13504096
Take one as the accepted answer and the other as "assist" (never done by myself, just seen several times here)
0
 
LVL 5

Expert Comment

by:tmehmet
ID: 13504991
my experience is that you must not take actual figures from vendors seriously, you must test it to find out for yourself.

if you are about to make a decision for your business, the only way to be certain it to get it into your labs or go to cisco labs and make them demonstrate it.

Once you start trying to prove it, you will find that the vendors start to release practical numbers during the tests for different scenarios.

Cisco have got better but they do like most still put some spin on their figures.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Make the most of your online learning experience.
If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question