Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
369
Views
0
Helpful
3
Replies

How to design this network of StS tunnels

slug420
Level 1
Level 1

‎12-15-2005 07:06 PM - edited ‎03-09-2019 01:22 PM

So I have a main site with a 506e on a full T1, soon to be tiered with another 506e to create a DMZ. I also have 4 remote sites on dsl/cable connections with 501s. I have a Site to Site VPN set up from each of the 4 smaller sites back to the main site, one of the uses of which will be voip traffic.

My problem is that each of the remote sites needs to be able to connect to each other remote site. The individual who initially designed this setup was planning on traffic from one remote site going back to the main site over its tunnel, and then out to the other remote site over ITs tunnel. The problem with that (unless I am wrong) is that it would require the PIX routing traffic out the same interface it came in on which it cannot do until 7.0 which is not available on the 506e.

The only other option I can think of is a full mesh network of sts VPNs but I am concerned about the ability of the 501 to handle that many simultaneous tunnels (I am also concerned about their plan to implement normal internet traffic and voip on dsl but we will have to look in to that at another time).

Will the 501 like handling all those tunnels? Is there another method for doing this that I am not thinking of?

The internet router at the main site is a 1700 and there is a layer 3 switch (35xx) also at the main site which could be used if needed.

thanks for your help

Labels:
0 Helpful
3 Replies 3

spremkumar
Level 9
Level 9

‎12-16-2005 01:27 AM

Hi

As per the data sheet it does support 10 Simultaneous VPN Peers.

would suggest to check this link for more info..

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet09186a0080091b18.html

Simultaneous VPN peers: 10*

* Maximum number of simultaneous site-to-site or remote access IKE Security Association (SAs) supported

I would like u to check/verify the licensing part whether u got Restricted user license or an unrestricted user license in ur pix firewalls.

regds

0 Helpful

slug420
Level 1
Level 1
In response to spremkumar

‎12-16-2005 05:46 AM

506e and 501s have an R license but 506 says IKE peers: Unlimited while 501 says 10.

Would you feel comfortable running 4 site-to-site VPNs from a 501 over a DSL connection? Think I will run into bandwidth problems since even more of it is being used by the tunnel's overhead?

I have never worked with the 501 before so I dont have any experience to draw on but something just didnt feel right when I realized I was faced with setting it up like this.

0 Helpful

jackko
Level 7
Level 7
In response to slug420

‎12-18-2005 02:58 PM

the biggest concern is the bandwidth i guess. in terms of the hardware, i mean the pix501, it should be fine.

i have a production 501 running 5 - 6 lan-lan vpns and it seems fine.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents