We have an ASA 5520 in our central data center. We are putting up a small branch office of 2 people which doesn't warrant an ASA 5505. So my choices were the Linksys, Dlink, or Netgear garden variety VPN routers.
We selected a netgear prosafe, and after it was deployed we saw our user bandwidth go from 100 Mb supplied by the provider, sustainable while plugged into the provider's network equipment, hobbled down to 5 or 6 MB at the desk top.
I since learned the prodsafe has a serious limit on what real equipment might call "back plane" speed, that is to say the wan to lan-ports throughput is nothig like the gig port speed should supply. I'm pretty sure that's the crux of the problem. But then I also read that VPN tunnels have a limit to begin with....read on.
Meanwhile, researchig the Dlink DSR250, I find that it lists the firewall throughput as 45 MB and the VPN throughput as 35 MB. If I read that right the best any one user back to our main office could hope for (because of the VPN tunnel) would be 35 MB, multiple users would split that up. This appears to be related to RFC standards but I could be mistaken.
Question 1: what is the theoretical site-to-site IPSEC VPN througput on the ASA5520? That's what I have so that's going to be the final limiting factor.
Question 2: What are others using in the way of low cost devices at branch offices to form VPN tunnels (instead of using a VPN client at the workstation for example)? The Linksys 1200 allows me to "pass through" that client VPN traffic but not build a tunnel per se, at least according to the manual. I don't see the goold old WRT linksys equipment any more.
Question 3: of the devices people are using, how many are getting the throughput they would like given the service they are subscribed to? That netgear prosafe has been dismal. But I'm not sure what else is out there that would be much better.
I'd love more cisco gear but it's just not in the budget.
We tend to use Cisco devices only in VPN setups so my choice for the "low cost" would usually be ASA5505. Though you already mentioned that this is not something that you would prefer to use because of cost in small offices. I do personally like the fact that we keep the Cisco ASA or Routers as VPN devices at all the sites we manage and it keeps the whole picture easier to manage when we dont have several different vendors and ways to configure the same thing.
I also have a hard time commenting on the throughput. There are 2 reasons atleast. Most of our bigger customers have a dedicated VPN devices hosted on our datacenters so they are usually devices that will probably never reach their performance limits. I mean the VPN device is usually a model that can more than handle the throughput the customer will ever need. This is especially the case with our VPN devices that have connections for several customers.
With regards to smaller customer and customers that have the VPN device at their own site they usually have such a low bandwith connection (ASDL, ADSL2+ , Symmetric connections up to 10Mbps) that they will never reach the limits of their lower end VPN device.
Only recent expirience related to VPN throughput was when I was connecting/building a new 100/10Mbps connection for a local customer which wanted to move a Netgear VPN box from behind its old DSL connection to this new fiber connection. We immediately got calls that they were only getting below 10Mbps throughput with the VPN device and it doesnt really surprise me. I did suggest that the VPN connection would be handled through our Datacenter equipment rather than adding an extra box to the local network but I guess the remote end wants to use their own devices.
I don't personally see a Cisco ASA5505 as very big investment on its own, though I have to say the licensing related to the device is enough to drive some people off and I cant say that I like it that much either. I personally have 2 of them at home for testing. I am waiting that they would at some point reveal whats its follower in the X - series is going to be. (As ASA5505 has not been removed from the selection of ASAs yet like the other original ASA models)
Maybe you could try asking this question also on the Small Business section of the CSC? I have absolutely no expirience with those Cisco devices but to my understanding the Small Business devices might have some cheaper alternatives to Cisco ASA5505. Or then again they might be at the same pricerange with the ASA5505.
Just curious, do you or anyone have any information on the speed that Cisco's VPN client is theoretically capable of? It occurs to me maybe the answer is to dispense with a tunnel on these low-end devices and use the VPN client....
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...