Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
370
Views
0
Helpful
3
Replies

Cisco 3640 to PIX 501 site-2-site VPN performance specs.

Go to solution
sheidelbach
Level 1
Level 1

‎01-23-2003 07:58 AM - edited ‎02-21-2020 12:18 PM

I'm planning on setting up a hub and spoke site-2-site VPN configuration with a Cisco 3640 as the hub and PIX 501's at the remote sites. My question is around the specs I've read.

.

The specs for a PIX-501-BUN-K9 say PIX 501 3DES Bundle (Chassis, SW, 10 Users, 3DES).

.

One question is what the "10 Users" really means. Is that the limit of the number of concurrent sessions I can have over the VPN at one time, or does that mean something else?

.

I've also read specs that say that the Maximum number of VPN tunnels that a PIX 501 can support is 5. Since I'm only going to have one tunnel between the PIX 501 at the remote site and the 3640 at the central site, I would think I would be OK. Is that correct, or is the max tunnels value talking about the max number of concurrent sessions over the tunnel?

.

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee
In response to sheidelbach

‎01-23-2003 08:09 PM

UDP traffic still creates a session within the PIX so that the returning traffic will be allowed in. The UDP timeout is only 2 minutes though IIRC. If you bypass NAT with a "nat 0 " statement then it shouldn't create an xlate I don't believe.

The actual time is difficult to say really, probably around 2 minutes for a UDP-only user, you'd probably have to do a few "sho local" commands on the PIX to really see for sure though.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎01-23-2003 06:06 PM

Max tunnels is 5 so you'll be fine with just having 1 to a hub 3640.

A user (for your max 10 users) is someone who has:

- has sent or received traffic through the PIX in the last xlate timeout seconds (five minutes with the 501 default config).

- has a UDP or TCP connection

- has a NAT session

- has a user authentication session

You cna use the "show local-host" command to see how many users the PIX is currently seeing. Basically a user comes down to an IP address that has used the PIX recently, you could theoretically have 10000 users on your inside segment, but as long as only 10 of them send traffic at once within a 5-10 minute time period you'd be OK.

0 Helpful

Go to solution
sheidelbach
Level 1
Level 1
In response to gfullage

‎01-23-2003 07:04 PM

Cool. I figured I was OK on the tunnels.

Excellent data.

I'm not planning on using the PIX for NAT at all. Just some TCP connections (like telnet,FTP & HTTP), and SNMP. Since SNMP is UDP, and does not really have any "session" associated with it, how long would that be counted as a "user". Still the xlate timeout, or something else? I'm thinking since I'll not really be translating the SNMP, the xlate timeout might not make much sense for that to be the timeout for SNMP.

Thanks and let me know what you think

0 Helpful

Go to solution
gfullage
Cisco Employee
Cisco Employee
In response to sheidelbach

‎01-23-2003 08:09 PM

UDP traffic still creates a session within the PIX so that the returning traffic will be allowed in. The UDP timeout is only 2 minutes though IIRC. If you bypass NAT with a "nat 0 " statement then it shouldn't create an xlate I don't believe.

The actual time is difficult to say really, probably around 2 minutes for a UDP-only user, you'd probably have to do a few "sho local" commands on the PIX to really see for sure though.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents