i have a customer with PIX 535. the customer plan to implement VPN solusion with ca 5000 User and for the futur 25.000 to 30.000 users. He want to terminate the vpn session on the PIX. my Idee ist to buy a concentrator but the bigest 3080 can only support 10.000 simultant.
1) do yo have any experience with the 3000 concentrator ? it is possble to cluster it ? do you think by 30.000 user is possible to have more than 10.000 simultant VPN request?
2) about the design how to place the concentrator ? on front auf the PIX or on the site of the PIX ?
It would probably be better to have a cluster of 3080 on a load balancing configuration. Remember the 10K simultaneous connection is on a tunnell everything scenario, and is also dependent on the no. of your
networks defined on your network list. A few 3080
in load balancing scenario could handle your load.
For the placement, an easier design is to put the concentrator in parallel to the PIX, but a better one would be to put the outside of the concentrator on a PIX DMZ1 and then the inside interface on another PIX DMZ2 interface. That way you could filter both incoming traffic to the concentrator and the outgoing
traffic from the concentrator as it goes to your internal network.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...