04-30-2004 08:41 AM - edited 02-20-2020 11:22 PM
We want to connect our branch offices with VPN using PIXes. What are the ups and downs of using PIXes vs. using regular Cisco routers to do this?
05-06-2004 07:21 AM
If your firewall is able to handle the current load with ease and is likely not to be stressed out after configuring for VPN, then you really don't have to worry about a thing. The question would become pertinent if your PIX slows down and does not deliver the required level of performance. In that case you could consider configuring the perimeter router for IPsec.
08-08-2004 07:59 PM
How do I know if my VPN's are stressed out? Is there something logged? I will loose my tunnel about once a month for no particular reason and am wondering if this is the cause.
12-06-2004 10:33 PM
More importantly... to you need to connect Spoke to Spoke.... if so... you'll need to use a router at the hub....
12-07-2004 12:34 PM
David has identified an important point - in the architecture of the PIX a packet that arrives on the public interface can not be forwarded out the public interface. So spoke to spoke communication does not work (or situations where a remote office has a VPN connection to corporate and a user from that office is away and wants to VPN in from their traveling location. They can access resources at corporate but not at their home office.) This has surprised several people that I have worked with.
A somewhat more intangible factor may be the architecture and syntax of the devices. The PIX has its own operating system, its own architecture, and its own syntax for configuration and for management. Some people will favor the router solution because it is more familiar and there is less new stuff to learn when doing VPNs with routers. If you already have someone on your staff who is familiar with PIX then this would be less of a consideration.
HTH
Rick
12-19-2004 06:30 PM
Could you explain that better for me?
Thanks!
12-19-2004 07:16 PM
I will try to be a little more clear.
If you have multiple remote sites connected to the central site in a hub and spoke architecture, if you implement VPN with a PIX each spoke can communicate with the hub (central site) but not with other spokes. If you implement that with a router (or a VPN concentrator) then spokes can communicate with spokes as well as with the hub.
If you are familiar with configuration with IOS (global config, interface config, etc) then configuration and troubleshooting of IPSec will be easier if you implement IPSec on a router. If you implement IPSec on a PIX there is a new syntax to learn (and a different architecture to understand) which may make it more difficult to do.
HTH
Rick
12-23-2004 09:42 AM
What Rick says is correct.
Here is a situation for you that might help you understand it a bit better. Let's say you have 6 remote branches connected via VPN to a central office. You're using PIXen at each location to do your VPN. You are in charge of maintaining the VPN, and your location is also a remote branch office connected via VPN to the central office. Sitting at your desk, you will not be able to connect to another PIX at a remote branch office to manage it over the VPN, nor will you be able to hit any shares on any workstations at the remote branch offices from your desk. To do this, you'll either need to be at the central office (the hub of all the VPN connections), or use remote desktop to access a PC at the central office and do your managing from there. Does that help make things a little more clear?
Everything Rick says is true about the PIX as of right now. My understanding is that when the new PIX operating system is released sometime next year, the PIX will be able to do the routing necessary to accomplish the situation I described above. I also understand that the new operating system is going to be a lot more like IOS in terms of syntax. I suspect that by this time next year, all PIXen should be supported under the new operating system.
That doesn't do anything for you right now, but I just thought you should know that Cisco knows this is an "issue" and it's going to get fixed.
01-23-2005 09:55 PM
Thank you for the information. I purchased two 501 PIX devices to connect two networks. It is a pretty simple configuration and don't think I need a router, but the traffic in one direction is super slow.
Network A contains about 20 computers and connects to the internet through a cable modem and a PIX 501.
Network B has a T1 connection and a pix 501 but only about 5 computers.
My problem is that the VPN speed that the people on Network B experience when trying to connect to Network A is slower than or slower than a dialup connection.
Do you think the problem is in the configuration of one of the PIX devices, the cable modem, or do I need additional hardware (Router?) at one end?
Thanks,
Jeff
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide