How do I know if my VPN's are stressed out? Is there something logged? I will loose my tunnel about once a month for no particular reason and am wondering if this is the cause.

More importantly... to you need to connect Spoke to Spoke.... if so... you'll need to use a router at the hub....

David has identified an important point - in the architecture of the PIX a packet that arrives on the public interface can not be forwarded out the public interface. So spoke to spoke communication does not work (or situations where a remote office has a VPN connection to corporate and a user from that office is away and wants to VPN in from their traveling location. They can access resources at corporate but not at their home office.) This has surprised several people that I have worked with.

A somewhat more intangible factor may be the architecture and syntax of the devices. The PIX has its own operating system, its own architecture, and its own syntax for configuration and for management. Some people will favor the router solution because it is more familiar and there is less new stuff to learn when doing VPNs with routers. If you already have someone on your staff who is familiar with PIX then this would be less of a consideration.

HTH

Rick

Could you explain that better for me?

Thanks!

I will try to be a little more clear.

If you have multiple remote sites connected to the central site in a hub and spoke architecture, if you implement VPN with a PIX each spoke can communicate with the hub (central site) but not with other spokes. If you implement that with a router (or a VPN concentrator) then spokes can communicate with spokes as well as with the hub.

If you are familiar with configuration with IOS (global config, interface config, etc) then configuration and troubleshooting of IPSec will be easier if you implement IPSec on a router. If you implement IPSec on a PIX there is a new syntax to learn (and a different architecture to understand) which may make it more difficult to do.

HTH

Rick

What Rick says is correct.

Here is a situation for you that might help you understand it a bit better. Let's say you have 6 remote branches connected via VPN to a central office. You're using PIXen at each location to do your VPN. You are in charge of maintaining the VPN, and your location is also a remote branch office connected via VPN to the central office. Sitting at your desk, you will not be able to connect to another PIX at a remote branch office to manage it over the VPN, nor will you be able to hit any shares on any workstations at the remote branch offices from your desk. To do this, you'll either need to be at the central office (the hub of all the VPN connections), or use remote desktop to access a PC at the central office and do your managing from there. Does that help make things a little more clear?

Everything Rick says is true about the PIX as of right now. My understanding is that when the new PIX operating system is released sometime next year, the PIX will be able to do the routing necessary to accomplish the situation I described above. I also understand that the new operating system is going to be a lot more like IOS in terms of syntax. I suspect that by this time next year, all PIXen should be supported under the new operating system.

That doesn't do anything for you right now, but I just thought you should know that Cisco knows this is an "issue" and it's going to get fixed.

Thank you for the information. I purchased two 501 PIX devices to connect two networks. It is a pretty simple configuration and don't think I need a router, but the traffic in one direction is super slow.

Network A contains about 20 computers and connects to the internet through a cable modem and a PIX 501.

Network B has a T1 connection and a pix 501 but only about 5 computers.

My problem is that the VPN speed that the people on Network B experience when trying to connect to Network A is slower than or slower than a dialup connection.

Do you think the problem is in the configuration of one of the PIX devices, the cable modem, or do I need additional hardware (Router?) at one end?

Thanks,

Jeff