Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX -vs- IOS VPN. What is better?

I am looking for input on what solution is better for implementing an IPSEC VPN for LAN-to-LAN connectivity. The remote sites will require dial backup. Any input regarding your experiences or research is appreciated.

VIP Purple

Re: PIX -vs- IOS VPN. What is better?

If you need dial backup, then you are almost certainly going to be better off using IOS baed VPN's. I'd consider running GRE over IPSec, and run a dynamic routing protocol, so you can detect IPSec failure.

New Member

Re: PIX -vs- IOS VPN. What is better?

Isn't throughput a consideration in choosing between the PIX and the IOS-based fiewall feature set on a particular router?

Isn't the context-based access control (CBAC) firewall fairly processor-intensive that can slow throughput?

We're considering using 806's with the firewall feature set for this purpose.

Thanks in advance for your advice!

F C Wood

New Member

Re: PIX -vs- IOS VPN. What is better?

I would recommend a PIX if this is going to be right on the edge of the network (near/on the internet). Depending on the number of VPN's you will have you might consider something like a 515-e that comes with the hardware encryption card.

The PIX will afford you stateful inspection capabilities right off the back versus a router w/FW IOS that will use CBAC to gain this capability (utilizinf ACLs and inspect statements).

Since you need dial backup, I assume you mean ISDN. Is this going to be to an ISP or direct site to site ISDN DDR.

If it is going to be direct site DDR you could run BGP on the internet router, pass it through the PIX to a router on the internal network running BGP that is configured for ISDN DDR to the sites. You can then build a configuration that uses route-maps on the internal router to redistribute a different costed route for the networks that would normally run over the VPN if the serial interface to the ISP fails.

If you are going to dial an ISP just have the internet router or another router outside the PIX, firewall, concentrator dial the ISP and resume your VPN's.

It doesn't really matter what you use for the VPN's if this is the way you are going to go.

I am speculating and just proposed different ways from your description. I use IOS FW routers, PIXes, and VPN concentrators currently, but each has it's place.

Are you looking to use this as an internet firewall as well or just VPN's and what kind of dial backup are you talking about (ISP - VPN or Point to point DDR)?

The VPN Concentrator is the easiest to configure, it is secure and at the 3030 level utilizes the hardware encryption card "SEP" which is pretty fast. The PIX is the most robust, especially when using it as a true firewall and VPN device with the hardware encryption card. The IOS router with the encryption card also serves a purpose but I would not recommend it without other protection (i.e. firewall(s) in fromt&/behind ) in place.

The concentrators only minor drawback is that it does not support AH, it only supports ESP; while both the IOS and PIX support both. AH makes things a little easier if trying to form a VPN connection to other non Cisco Devices - Nortel Connectivity, Nokia, etc...)

In any of the devices, I would recommend the hardware encryption card functionality if you are going to have quite a few vpn's (Lan to Lan or Client).

Let me know, I am curious.


CreatePlease to create content