Should not make a difference either way. You might want to keep it pix to pix, if end user vpn management is a different person's responsibility from the site to site vpn tunnel person. No big deal using either
I am thinking of using the PIX-506E at each remote office vs. using a 1751 router or something like that. Also, possibly not even using a VPN concentrator (to save money), and just have users that want remote access VPN into the PIX at the main location (515E)...along with the other IPSec tunnels from the 4 other offices.
hmmm, you really don't need a PIX at the remote offices..you can terminate your vpn using the 1751s. That's what we do here, I've got 4 remote locations with 1720s, terminating into our PIX 550 at the central location. Just make sure you use the latest IOS with IPSec capabilities.
Thanks for the reply. I take it if I go that route (with the routers at the remote offices), then each remote office will still be able to communicate to the other ones via the hub (PIX 515E at the central location)?
Like remote office--->central location--->other remote office, and vice-versa.
In addition to my last post...if I go with the 1721's at each location, would it be better to terminate on the 2651 router at the HQ that is before the PIX, then just allow the remote office's subnets to pass thru the PIX to the internal net?
For remote access VPN for traveling users, I would go with a concentrator, like the VPN3000, it's much more manageable, and flexible then trying to terminate vpn clients to the PIX. You can also use NT domain authentication, I don't think the PIX can do that, in fact, I know you can't.
There will be 4 remote offices. I've looked at using GRE IPSec tunnels for future use, right now, just IPSec tunnels will do. But in the event that we roll-out VoIP or something like that...I think that I would need to use GRE between the sites right? And I know that GRE tunnels cannot terminate on a PIX.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...