PIX 515/525 vs. VPN concentrator 3005 for Hub site
Can anyone highlight the differences between using these devices for the central site in a VPN network that would consist of 50+ dialup/ADSL remote users and say 10 site-site (10 users per site) configuration.
It is proposed to either use 515/525 to 506e for site-site or 3005 to 837 ADSL router (with software client for client-site).
The central site already has an established firewall, the VPN device would be behind this device. Are there any differences in performance, user management, cost that we should be aware of ?
My preference at the moment may be to select the 3005 to 837 ADSL router on the basis that the concentrator is a device dedicated for this purpose and the 837 would be a single device on the remote end. The PIX 506e would require a seperate ADSL router which may cause routing/nat issues.
In our (limited) experience of using client-site to a PIX device (506 in this case, but would be replaced with 515/525) we have found you have little ability to view currently connected users etc. Also an issue around transparent tunneling over UDP only has meant we can only connect clients that are behind an ADSL router and not an ADSL or dialup modem.
Also, we believe we have the option of using the CISCO VPN client or the default Microsoft LT2P connection. We may have to support clients down on NT4, 98, 2000 & XP does this have any bearing ?
Re: PIX 515/525 vs. VPN concentrator 3005 for Hub site
The 30xx support ip compression, which might be of use for dial up users - it helped make outlook 2000 performance a bit snappier for our left few dialup holdouts. The PIX does not. I don't recall if IOS does.
The cisco vpn client works on all of those OS's, regardless of what is on the back end of the IPSec tunnel. PIX now support nat traversal, so clients can connect to it with UDP encapsulation (great for when they are behind NAT). 30xx has supported this forever - first in a proprietary mode, now also with the NAT-T draft IETF standard.
The 30xx is probably the easiest to manage out of the box- through its web interface - you can see statistics, connected users, and it keeps a good amount of logs on the unit, so a lot of troubleshooting data/resources is all in one place
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :