1. Go with Cisco. I am a 2xMCSE, for what it is worth, but almost always recommend the cisco client route:
the cisco client has a feature where it works behind nat routers
by separating the vpn from the nt/2k environment, all of your eggs aren't in one basket - if the server has issues, you might still be able to VPN to the pix, and diagnose it, whereas when the server is the vpn head end you=toast
2. PIX 501 allows 10 concurrent vpn tunnels, max, be they site to site tunnels, or end users tunnels.
3. client software should be on the cd that came with the pix, as well as downloadable via your TAC account. software is free, and no user counts on it - you can install it on 10k pcs, even though your pix 501 only supports 10 tunnels. another huge plus for the cisco solution
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...