Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 515/525 vs. VPN concentrator 3005 for Hub site

Can anyone highlight the differences between using these devices for the central site in a VPN network that would consist of 50+ dialup/ADSL remote users and say 10 site-site (10 users per site) configuration.

It is proposed to either use 515/525 to 506e for site-site or 3005 to 837 ADSL router (with software client for client-site).

The central site already has an established firewall, the VPN device would be behind this device. Are there any differences in performance, user management, cost that we should be aware of ?

My preference at the moment may be to select the 3005 to 837 ADSL router on the basis that the concentrator is a device dedicated for this purpose and the 837 would be a single device on the remote end. The PIX 506e would require a seperate ADSL router which may cause routing/nat issues.

In our (limited) experience of using client-site to a PIX device (506 in this case, but would be replaced with 515/525) we have found you have little ability to view currently connected users etc. Also an issue around transparent tunneling over UDP only has meant we can only connect clients that are behind an ADSL router and not an ADSL or dialup modem.

Also, we believe we have the option of using the CISCO VPN client or the default Microsoft LT2P connection. We may have to support clients down on NT4, 98, 2000 & XP does this have any bearing ?

Any help would be much appreciated,



Re: PIX 515/525 vs. VPN concentrator 3005 for Hub site

The 30xx support ip compression, which might be of use for dial up users - it helped make outlook 2000 performance a bit snappier for our left few dialup holdouts. The PIX does not. I don't recall if IOS does.

The cisco vpn client works on all of those OS's, regardless of what is on the back end of the IPSec tunnel. PIX now support nat traversal, so clients can connect to it with UDP encapsulation (great for when they are behind NAT). 30xx has supported this forever - first in a proprietary mode, now also with the NAT-T draft IETF standard.

The 30xx is probably the easiest to manage out of the box- through its web interface - you can see statistics, connected users, and it keeps a good amount of logs on the unit, so a lot of troubleshooting data/resources is all in one place

CreatePlease login to create content