Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1136
Views
0
Helpful
7
Replies

Cant use VPN concentrators

shabib.syed
Level 1
Level 1

‎10-23-2000 02:28 PM - edited ‎02-21-2020 11:14 AM

Well I need to implement VPN for my company,

I have a 2610 a PIX firewall 515 and VPN client Software, I dont want to use VPN concentrator. I believe we can do the tunnelling without VPN concentrators. Where will these clients terminate ....on the router....what I m missing here.

Labels:
0 Helpful
7 Replies 7

russ.mack
Level 1
Level 1

‎10-25-2000 06:54 AM

You should be able to use either the PIX or the 2610 to terminate your IPSec tunnels. If you use the 2610, you will need an IPSec IOS. If the 2610 is on the Internet side of the PIX, and you use the 2600 as the VPN endpoint, data between the router and the PIX is unencrypted, which may be a concern. If the 2600 is on the private side of the PIX or in a DMZ and you are using IPSec, you will need to punch a hole for ISAKMP and either AH or ESP (suggest ESP). If you use the PIX as the VPN endpoint, you can termiate at the outside interface, and still control access with your conduit rules. If you want to use the PIX to terminate the VPNs but not to impose any rule checks, I understand you can use the "sysopt ipsec pl-compatible" to make it look like they're terminating on the inside interface, although I haven't tried this. The decision between using a concentrator or using the router/PIX is probably an administrative issue. Managing a few VPN connections using a router or PIX is not too bad. I have some of both. Keeping up with a large number of connections would be a nightmare. I would prefer a concentrator for that. Whichever solution you choose, be careful of client software version compatibility.

0 Helpful

shabib.syed
Level 1
Level 1
In response to russ.mack

‎11-04-2000 01:27 AM

"If you want to use the PIX to terminate the VPNs but not to impose any rule checks"

Well PIX is my firewall for the network, my point is that as the number of VPN connections will not be large (now by large i mean more then 100) will be 20 max. concurrent connections , so i assume here that my pix 515 has the capacity to work as a terminating point for VPN and also work as the network firewall. I really dont wanna add nother piece of hardware(VPN concetrator) on my network, or u can say i cant. Other question is does Cisco VPN solution works with DSL. wat if some of my clients have DSL or is there ne work around to this?

0 Helpful

russ.mack
Level 1
Level 1
In response to shabib.syed

‎11-10-2000 06:32 AM

If you want to have conduit rule checking for both the VPN and non-VPN traffic, use the "crypto map xxxxxx interface outside" command without the "sysopt ipsec pl-compatible". If you use the pl-compatible, I don't think the VPN traffic will be analyzed by the conduits, but non-VPN traffic still will be. Regarding DSL, I haven't set up a VPN over DSL yet, but don't see where there should be any problem unless the DSL provider is doing addresss translation. Even if they are doing NAT, ESP should handle it but AH won't. Neither will handle Port Address Translation, though.

0 Helpful

cdbush
Level 1
Level 1

‎10-30-2000 01:48 PM

If you are setting up a VPN for mobile clients I would really recommend the VPN concentrators, the clients are much easier to manage this way.

If you still do not want the VPN concentrator then use the PIX to terminate the VPNs but both will work.

0 Helpful

thangtran
Level 1
Level 1

‎04-17-2001 01:28 PM

There are two different IPSEC modes:

1. Tunneling mode: VPN gateway to VPN gateway. The tunnel is being terminate by the VPN gateways. This mode is generally being use to connect remote office (1-20 users) to the corporate network. This way you can avoid having to install the VPN client software on all users machine. All the work is being done at the VPN gateways

2. Transport mode: Client to VPN gateway. The tunnel is initiated by the client VPN software and terminate at the VPN gateway locate at the corporate site. This is what you would install on road warriors machine with dialup account or machines with Cable/DSL modem

0 Helpful

yv
Level 1
Level 1

‎04-17-2001 06:52 PM

you can do on both of them, depending on the load on the router and amount of acls on the pix.

you have to remember, that vpn eats up cpu/resources by encrypting/decrypting packets, plus, depending how many vpn-acls you have.

you don't need concentrator, if you are planning to have vpn up to 40 users or so.

management of vpn is a nite mare on the pix.

concentrator the cheapest one run for about 8 -9k.

thus, it is all based on your buget and how much hair you want to loose configuring vpn on the pix :)

i had to make a similar decision, as you are. i have vpn turminating on my pix, it was tough to configure it the first time, but when the tunnel was up, then you don't have to worry :)

0 Helpful

mharitakis
Level 1
Level 1
In response to yv

‎04-23-2001 04:29 AM

Hi,

Do you know how many concurrent users a pix 515 can hundle?

0 Helpful
Customers Also Viewed These Support Documents