Can you pls describe what the fundamental differences / advantages / disadvantages are between terminating VPN's at a PIX vs. a Concentrator like the 3000?
The reason for which I ask is because my firm currently VPN's many client networks back to a PIX 520 located at our ISP's bunker. We are starting to run into the situation where we (as we aquire more customers) are having duplicate internal IP schemes on the access-lists that make our tunnels on the PIX config. For example, we have one customer for some time now who has internal adx of 172.16.X.X. Recently we found out we had taken another client on with the same address. I am now faced with coming up with a solution so that we can VPN both customer networks ( and any other duplicate internal schemes that we may face moving forward) to our bunker...
The VPN concentrators work best for user to site VPNs (as opposed to site to site). The PIX work best as a firewall, and then a VPN concentrator.
My preference would be to use an IOS based router for this scenario. With an IOS "VPN concentartor" you can use things like NAT to hide other peoples addresses schemes, apply traffic shapping, QOS, etc.
Thanks for your recommendation. Now another question. Do IOS routers have the ability to be tunnel end points. I am unsure if they can do the key negiotiation/ or the Security Associations as defined on the PIX...