Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
496
Views
0
Helpful
3
Replies

PIX -vs- IOS VPN. What is better?

evanderb
Level 1
Level 1

‎04-24-2002 06:23 AM - edited ‎02-21-2020 11:42 AM

I am looking for input on what solution is better for implementing an IPSEC VPN for LAN-to-LAN connectivity. The remote sites will require dial backup. Any input regarding your experiences or research is appreciated.

Labels:
0 Helpful
3 Replies 3

Philip D'Ath
VIP Alumni
VIP Alumni

‎04-29-2002 02:44 AM

If you need dial backup, then you are almost certainly going to be better off using IOS baed VPN's. I'd consider running GRE over IPSec, and run a dynamic routing protocol, so you can detect IPSec failure.

0 Helpful

fc
Level 1
Level 1
In response to Philip D'Ath

‎04-29-2002 04:34 AM

Isn't throughput a consideration in choosing between the PIX and the IOS-based fiewall feature set on a particular router?

Isn't the context-based access control (CBAC) firewall fairly processor-intensive that can slow throughput?

We're considering using 806's with the firewall feature set for this purpose.

Thanks in advance for your advice!

F C Wood

fc@wood.org

0 Helpful

ntdude
Level 1
Level 1
In response to fc

‎05-02-2002 10:27 AM

I would recommend a PIX if this is going to be right on the edge of the network (near/on the internet). Depending on the number of VPN's you will have you might consider something like a 515-e that comes with the hardware encryption card.

The PIX will afford you stateful inspection capabilities right off the back versus a router w/FW IOS that will use CBAC to gain this capability (utilizinf ACLs and inspect statements).

Since you need dial backup, I assume you mean ISDN. Is this going to be to an ISP or direct site to site ISDN DDR.

If it is going to be direct site DDR you could run BGP on the internet router, pass it through the PIX to a router on the internal network running BGP that is configured for ISDN DDR to the sites. You can then build a configuration that uses route-maps on the internal router to redistribute a different costed route for the networks that would normally run over the VPN if the serial interface to the ISP fails.

If you are going to dial an ISP just have the internet router or another router outside the PIX, firewall, concentrator dial the ISP and resume your VPN's.

It doesn't really matter what you use for the VPN's if this is the way you are going to go.

I am speculating and just proposed different ways from your description. I use IOS FW routers, PIXes, and VPN concentrators currently, but each has it's place.

Are you looking to use this as an internet firewall as well or just VPN's and what kind of dial backup are you talking about (ISP - VPN or Point to point DDR)?

The VPN Concentrator is the easiest to configure, it is secure and at the 3030 level utilizes the hardware encryption card "SEP" which is pretty fast. The PIX is the most robust, especially when using it as a true firewall and VPN device with the hardware encryption card. The IOS router with the encryption card also serves a purpose but I would not recommend it without other protection (i.e. firewall(s) in fromt&/behind ) in place.

The concentrators only minor drawback is that it does not support AH, it only supports ESP; while both the IOS and PIX support both. AH makes things a little easier if trying to form a VPN connection to other non Cisco Devices - Nortel Connectivity, Nokia, etc...)

In any of the devices, I would recommend the hardware encryption card functionality if you are going to have quite a few vpn's (Lan to Lan or Client).

Let me know, I am curious.

Mike

0 Helpful
Customers Also Viewed These Support Documents