Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Terminating IPSec VPN tunnels.

What would anyone recommend as far as terminating a remote office's IPSec VPN tunnel into a PIX versus terminating it into a VPN Concentrator?

Thanks

8 REPLIES
Silver

Re: Terminating IPSec VPN tunnels.

Should not make a difference either way. You might want to keep it pix to pix, if end user vpn management is a different person's responsibility from the site to site vpn tunnel person. No big deal using either

New Member

Re: Terminating IPSec VPN tunnels.

I am thinking of using the PIX-506E at each remote office vs. using a 1751 router or something like that. Also, possibly not even using a VPN concentrator (to save money), and just have users that want remote access VPN into the PIX at the main location (515E)...along with the other IPSec tunnels from the 4 other offices.

Sound like a plan?

New Member

Re: Terminating IPSec VPN tunnels.

hmmm, you really don't need a PIX at the remote offices..you can terminate your vpn using the 1751s. That's what we do here, I've got 4 remote locations with 1720s, terminating into our PIX 550 at the central location. Just make sure you use the latest IOS with IPSec capabilities.

New Member

Re: Terminating IPSec VPN tunnels.

Thanks for the reply. I take it if I go that route (with the routers at the remote offices), then each remote office will still be able to communicate to the other ones via the hub (PIX 515E at the central location)?

Like remote office--->central location--->other remote office, and vice-versa.

Thanks again.

New Member

Re: Terminating IPSec VPN tunnels.

In addition to my last post...if I go with the 1721's at each location, would it be better to terminate on the 2651 router at the HQ that is before the PIX, then just allow the remote office's subnets to pass thru the PIX to the internal net?

New Member

Re: Terminating IPSec VPN tunnels.

OK, first, you can actually "map" your vpn tunnel between the remote offices. 1751 <--> 1751, like a mesh topology. That's what we do as well.

I would not reccomend termiating to the 2651 at HQ, the PIX can handle it better than the router.

You're going to get into some tricky ACLs on the 1751s, but it's manageable. How many sites are you talking about here?

New Member

Re: Terminating IPSec VPN tunnels.

one more thing...

For remote access VPN for traveling users, I would go with a concentrator, like the VPN3000, it's much more manageable, and flexible then trying to terminate vpn clients to the PIX. You can also use NT domain authentication, I don't think the PIX can do that, in fact, I know you can't.

New Member

Re: Terminating IPSec VPN tunnels.

There will be 4 remote offices. I've looked at using GRE IPSec tunnels for future use, right now, just IPSec tunnels will do. But in the event that we roll-out VoIP or something like that...I think that I would need to use GRE between the sites right? And I know that GRE tunnels cannot terminate on a PIX.

334
Views
0
Helpful
8
Replies