Site to Site VPN Hardware recommendations

Unanswered Question
May 12th, 2008
User Badges:

Hi Guys,

We have an small office in India (20 users) which we would like to connect to our WAN in the uk. (We have a PIX 501 that we were going to use on our side)

They have an ADSL connection with a static IP, what I would like to know is what cisco devices you guys would recommend to buy them so that they can connect to us. We were thinking of buying the Cisco 878 but it can only do 10 IPSEC tunnels and we will need about 18 simultaneous tunnels to connect to all diffrent branches in the UK.

Ideally we would have liked 1 cisco device that can make the ADSL connection as well as connect to our PIX 501 with about 18 IPSEC Tunnels, but if thats not possible what would be the best way forward?

Sorry not a very technical question



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


Ideally I would have thought that you would want to only connect from India to 1 site in the UK "the Hub" - then the "Hub" would distibute your traffic out to the other sites in the UK. Essentially have a Data Center in the UK. All remote sites would connect into this Data Center?

Also considerations are:-

ADSL pipe Size

Bandwdith Usage

Applications - bursty or continious

As the above will determine, thruput - which is important, as I would imaging the users in India will also use the internet, so you need to think about the amount of traffic a device can handle, and of course how much it can encrypt/decrypt = total encrypted thruput etc.


As an update to the above, the Pix 501:-

Cleartext throughput: Up to 60 Mbps

Concurrent connections: 7,500

56-bit DES IPsec VPN throughput: Up to 6 Mbps

168-bit 3DES IPsec VPN throughput: Up to 3 Mbps

128-bit AES IPsec VPN throughput: Up to 4.5 Mbps

Simultaneous VPN peers: 10*

* Maximum number

10-User License

The Cisco PIX 501 10-user license supports up to 10 concurrent source IP addresses from

your internal network to traverse through the Cisco PIX 501. The integrated DHCP server

supports up to 32 DHCP leases. As your needs grow, both 50 user and unlimited user

upgrade licenses are available, allowing you to extend your investment in Cisco PIX 501


50-User License

The Cisco PIX 501 50-user license supports up to 50 concurrent source IP addresses from

your internal network to traverse through the Cisco PIX 501. The integrated DHCP server

supports up to 128 DHCP leases. As your needs grow, a 50-to-unlimited user upgrade

license is also available, allowing you to further extend your investment in Cisco PIX 501


Unlimited User License

The PIX 501 unlimited user license supports an unlimited number of devices from your

internal network to traverse through the Cisco PIX 501. The integrated DHCP server

supports up to 256 DHCP leases.

3DES/AES and DES Encryption Licenses

The Cisco PIX 501 Security Appliance has two optional encryption licenses-one license

(PIX-501-VPN-3DES) enables 168-bit 3DES and up to 256-bit AES encryption, the other

license (PIX-VPN-DES) enables 56-bit DES encryption. Both are available either at the time

of ordering the Cisco PIX 501 Security Appliance, or can be obtained subsequently through Note that an encryption license must be installed to activate encryption services

which are required before

I think if you want a small cost effective firewall - the perhaps the 506:-

Cleartext throughput: Up to 100 Mbps

Concurrent connections: 25,000

56-bit DES IPSec VPN throughput: Up to 20 Mbps

168-bit 3DES IPSec VPN throughput: Up to 16 Mbps

128-bit AES IPSec VPN throughput: Up to 30 Mbps

256-bit AES IPSec VPN throughput: Up to 25 Mbps

Simultaneous VPN peers: 25*

* Maximum number

With no limit on the number of inside ip addresses.


pwolivier Tue, 05/13/2008 - 02:59
User Badges:

Thans for that Andrew,

I was thinking of the PIX 501 with the 50 user license which should be enough for that office. My question is which router do I get to make the ADSL connection as we want to buy everything in the UK and then ship it over to be installed.

Will the Cisco 1801 not be able to everything that we want in this scenario ?

And yes basically the India office would be connecting to our data center in the UK.



The 18xx series for VPN's:-

IPSec and VPN

Integrated Hardware-Based


On motherboard

Encryption Support in Hardware

DES, 3DES, AES 128, AES 192, AES 256

IPSec Tunnels Supported 50

IPSec VPN Performance 40 Mbps 3DES @ 1400 byte packets

Cisco IOS Firewall Performance

100 Mbps @ 1400 byte packets

Specifically the 1801:-

ADSL Digital Subscriber Line Access Multiplexer (DSLAM) Interoperability

The Cisco 1801 is interoperable


• Cisco 6130 and Cisco 6260 IP DSL switches

• Alcatel (ASAM 1000 and 7300)

• Lucent Stinger (24- and 72-port line cards)

• ECI HiFocus (16- and 32-port line cards [Anaconda support])


1cmerchant Tue, 05/13/2008 - 03:43
User Badges:

Why use the Pix devices when they are already scheduled for End of Sale, etc? I far prefer the ASA 5505 device to the Pix 501 anyway, more granular control, better GUI (ASDM), and longer support life.

Just my 3.14 cents,


1cmerchant Thu, 05/15/2008 - 11:40
User Badges:

A 5505 is 1500 pounds sterling?! At the current exchange rate that means a 5505 would be nearly $3000 in US Dollars?

I get that device for about $500 here in the US of A, are we talking apples and oranges, or is Cisco equipment really that expensive in Europe?

Just curious,


1cmerchant Fri, 05/16/2008 - 03:50
User Badges:

WOW, I had no idea! Your comment on using the Pix 501 or other device over the ASA 5505 really makes sense now. I wonder what drives the price up so high across the pond?

Tell you what - the next time I need to get a cisco device, I will shoot you an email and see if I can get it cheaper thru you!!

I can tell you - the more pair of hands the products go thru, the more the price rises. Cisco only deal with partners & resellers, not direct.

If I could buy direct - I would!

1cmerchant Fri, 05/16/2008 - 08:28
User Badges:

We buy from a partner too, albeit a large one who gets really good discounts. I wonder if there are really high Value Added Taxes or other tariffs placed on Cisco gear in Europe that are driving the price up.


This Discussion