[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 261
  • Last Modified:

PIX Solution needed

I need to set up a conference room for about 300 people to have Internet access.  Network access will be wireless APs with a few wired connections available.  The Internet connection is going to be a DSL, T1 or even a T3 line (unlikely).  I’m thinking about using a PIX-501 or a PIX-506E.  Can a 501 handle what I need or does anyone have any other suggestions?  My requirements for the 501 or other device are:

Firewall services

DHCP server (possible for multiple subnets)

Authentication for Internet access.  Everyone will use the same user name / password.

Using a Web page for authentication instead of the Windows popup would be very useful.

Notebooks cover all OS’s, Windows, Macs, Linux

Allow outgoing VPN clients, about 200-300 concurrently

The VPN client software will range over many worldwide vendors.

No incoming VPN access is needed.

No hosting of Web or FTP servers

 

0
neowolf219
Asked:
neowolf219
  • 4
  • 4
1 Solution
 
lrmooreCommented:
501 was designed to support up to 10 users and only 4 vpns
506e was designed to support up to 50 users and "several" vpns
515e was designed to support 50-100 users and up to 2000 vpns
300+ users would typically see a minimum of PIX525

That said, the PIX is being replaced by the new ASA 5500 line. I would strongly urge you to look at the ASA5520 appliance.
If you have a T1 or anything other than DSL with modem provided, you will also need a router. If you are contemplating a T3, you'll want to look at nothing less than a 2850 series router, or 3825
0
 
neowolf219Author Commented:
What is the difference between users and vpns in this case (I know that sounds elementary, but why so many vpns and so few users).  Does it deal with the translations the PIX can handle?
0
 
lrmooreCommented:
It deals with the CPU processing power of the box. Plain and simple restriction on # of simultaneous xlates and performance. Except for the 501 which is the only one with hard limit of 4 vpns and a specified # user license.

To handle 200-300 simultaneous internal users and their connections to external VPN servers is a huge load on the CPU. Inbound VPN's and site-site vpn traffic can be offloaded to a separate encryption engine, but since the PIX itself is not the VPN endpoint, it must process every single packet. If it's a PPTP VPN, it must identify the stream with the tcp 1723 request coordinated with a GRE return (GRE has no concept of ports) to the correct internal users. Other VPN clients use multiple different protocols for tunnel setup and data flow. That's a lot to keep up with.

0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
neowolf219Author Commented:
thanks for the response, just one more thing to get clear, but what if you take the VPN out.  How many translations for internal users could the PIX support, the list in your first response, I take it?
0
 
neowolf219Author Commented:
Users will be VPNing from the inside using various methods to access their particular corporate network.  I just looked ona a Data Sheet on Cisco's site saying there was an "Unlimited" license for inside users, with 60 Mb clear-text.  Again, there is not VPN actually running on the PIX.  

Cisco is making it sound like I could use this, just really want PIX for ASA functionality.  

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet09186a0080091b18.html
0
 
lrmooreCommented:
If you want to risk your entire operation on something that was never designed to support it, you've been warned.
Yes, Cisco does have an "unlimited" license option for the 501 but the CPU was simply not designed to support more than 10 users at one time.
The ASA algorithm is CPU intensive, especially when  you have protocols such as VPN tunnels to deal with.
The 501 is not upgradeable. It will never support the new version 7 PIX OS which adds a wide range of new features and functionality.


0
 
neowolf219Author Commented:
It's actually not an organization, but users in a conference room for a week (I wouldn't put anything less than an ASA in now, unless the customer told me definitely, and this isn't for me but a friend who is doing this and trying to find a solution that is light weight to deal with shipping costs internationally; was going to go with ISA server but shipping was something obscene like 1500$ or something - including case).  

Cisco engineer is suppose to be getting in touch about this, and we are just running it past them.  Probably going to go with a higher end Pix or ASA.  I told my friend that there is no way I could simulate his scenerio, so he is probably better off safe than sorry, but not really my choice.  

Thanks for the reply; sorry if you got frustrated with me wanting to put a 501 in an organization with 300 people ... but I can't help but chuckle at that.  Betcha thought I was typical customer or something, heh?
0
 
lrmooreCommented:
Thanks for the follow up...
I'm a firm believer of using the right tool for the job.
At least you've ruled out ISA even if it was just because of size/weight.

Cheers!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now