VPN 3000 or PIX 535

aessome · ‎04-11-2002

Hello VPN Guru !

i have a customer with PIX 535. the customer plan to implement VPN solusion with ca 5000 User and for the futur 25.000 to 30.000 users. He want to terminate the vpn session on the PIX. my Idee ist to buy a concentrator but the bigest 3080 can only support 10.000 simultant.

1) do yo have any experience with the 3000 concentrator ? it is possble to cluster it ? do you think by 30.000 user is possible to have more than 10.000 simultant VPN request?

2) about the design how to place the concentrator ? on front auf the PIX or on the site of the PIX ?

thank for any help and recomandation

cjacinto · ‎04-11-2002

It would probably be better to have a cluster of 3080 on a load balancing configuration. Remember the 10K simultaneous connection is on a tunnell everything scenario, and is also dependent on the no. of your

networks defined on your network list. A few 3080

in load balancing scenario could handle your load.

For the placement, an easier design is to put the concentrator in parallel to the PIX, but a better one would be to put the outside of the concentrator on a PIX DMZ1 and then the inside interface on another PIX DMZ2 interface. That way you could filter both incoming traffic to the concentrator and the outgoing

traffic from the concentrator as it goes to your internal network.

aessome · ‎04-11-2002

thanx cris.

aessome · ‎04-11-2002

if you put the outside of the concentrator on a PIX DMZ1 and then the inside interface on another PIX DMZ2 interface, this mind the PIX will have a tunnel offen to dmz1 to dmz2 is ther no risk?

do you have any cisco page how to cluster th concentrator

thank