Re: CPU utalization

The_guroo_2 · ‎05-29-2011

Hi Guys We have a VPN concentartor which is having few VPN and doing NAT (Static and PAT) as well. One of our customer has added huge number of serves so we have to do hundreds of static and PAT rules.we have really large number of customers which are growing and do so the NAT in VPN concentartor.

I am bit concern and want to know what will be the best way to check that how my VPN concentartor is doing .

As we all know its a GUI i try to check few stuff but couldnt get any info.... the model number is 3015.

I just want to know how many NAT rules it can take more before it dies on me :-) as i cant afford it

Thanks guys

Is there any way we can check the percentage it working on CPU and stuff as i tried to see it but no success

JORGE RODRIGUEZ · ‎06-07-2011

Hi,

You can find all you need regarding device CPU utilization in the administration guide , under monitoring and also under system status sections.

http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_47/administration/admon.html

I was not able to find any NAT rules limitations under Policy management NAT section , you can double check on lates version code 4.7 configuration guide

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_installation_and_configuration_guides_list.html

I would recommend looking into VPN migration path as the VPN 3000 series concentrators are end of life.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5743/ps5749/ps2284/prod_end-of-life_notice0900aecd805cd5a0.html

Regards

Jorge Rodriguez

The_guroo_2 · ‎06-07-2011

Thanks for that.....now you are right these items are end of sale so have to go to a new device....i need your help in that we have a internet router then we have a VPM concentartor (which terminated VPN over internet) and does NAT as well......vpn concentator is conected to a firewall which has policies and stuff...........the firewall is PIX....

so if i have to change/upgarde it ASA is the option shd i get two ASA's one to terminate VPN (just like VPN concenattor) and other to repolave PIX or shd i get only one to do both jobs.....what do you reommend

Thanks again

JORGE RODRIGUEZ · ‎06-08-2011

Hi,

Since you have the concentrator terminating VPN conections and the PIX doing the access control list you can actually have the ASA firewall do both tasks , that is, firewalling and VPN gateway, the question would probably be how to plan in consolidating of two devices into one platform with minimal downtime, this is probably another thread but indeed possible, it is a matter of geting the right tools/resources and good planing .

In addition I shoudl add , It is not required but recommended to implement some kind of failover architecture Active/Standby firewalls, so you should plan for two ASA firewalls for failover architecture migration and deployment to ultimately provide for all functions of firewalling NATing , VPNing routing etc.. at your internet perimeter..

bellow are some good reference to plan your migration

PIX to ASA migration guide

http://www.cisco.com/en/US/partner/docs/security/asa/migration/guide/pix2asa.html

There are some good references and software tools such as the PIXtoASA convertion software , information found in above link to help you migrate PIX to ASA .

AS for the VPN concentrator I am not aware of any software tools but have come accross some threads here where Cisco (internal ) may be able to assist you in convertions for the VPN concentrators, Im not able to verify this.

But overall you can find prety much all you need pertaining to migration guides here including VPN concentratot to ASA

http://www.cisco.com/en/US/partner/products/ps6120/prod_installation_guides_list.html

Regards

Jorge Rodriguez