Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX 501 Limitations

I am preparing to implement the PIX 501 in a couple remote offices. We are planning on using the 501 and PPPoE over a DSL connection. We have 7 users at one of the sites. When reading through the documentation it says that the 501 can handle 5 simultaneous VPN connections. Does anybody know if this is inbound (to the remote site) or out bound (from the remote site). We plan on installing the VPN Client on the workstations at the remote site and create the tunnels out to HQ.Any information would be appreciated.

New Member

Re: PIX 501 Limitations


The VPN connections mentioned reffers to VPN tunnels that the pix own interface is one of it endpoints, which is not the case you planned.

But you will might have other problems with the end users connecting to the main office via NAT at the pix and/or at the DSL device.

An alternative and I think a better design is to implement site to site VPN tunnels from the remote pix501 devices to the main office.

Each such tunnel will serve all remote clients behind it and will not be limitted by number of clients.


Yizhar Hurwitz

New Member

Re: PIX 501 Limitations

Each PIX 501 in your remote offices will be limited to 5 VPN tunnels (Inbound/Outbound) at any one time. This means that if you have 5 remote users connecting to the remote office at the same time, a sixth user will not be able to establish a connection until one of the others disconnects. It seems to me that since your users are actually "at" the site and not mobile, a "PIX-to-PIX" VPN would be a better solution. This way all internal users will have access to the remote site utilizing a single PIX-to-PIX tunnel. This would leave four tunnels left over you could use for mobile users configured with Cisco VPN Client or four more PIX-to-PIX tunnels for your other office locations to connect to your HQ. (Note: In a PIX-to-PIX tunnel there will be no need for your internal workstations to run the Cisco VPN Client since the PIX itself handles the authentication.) (Only mobile users or home users connecting via ISP will have to run the Client.) Hope this helps and makes sense!

New Member

Re: PIX 501 Limitations

Thanks muchs for the information, it makes perfect sense. This is exacly what I had thought, however my corportate HQ was stating the contrary. Since my original posting my HQ has decided to implement the Pix-to-Pix solution. Thanks again for the info.