Another VPN question 1

[scottdware]

I posted a topic yesterday about terminating IPSec VPN tunnels on a PIX rather than on a router.

Does anyone have any experience with terminating the tunnels on a VPN concentrator instead of a PIX.

If so, what would be a better solution possibly?

Thanks

 

[themut]

Both devices are capable of terminating VPN connections and both devices are really good at it. The VPN 3000 concentrator is easier to configure and it was design specifically for VPN while the PIX was design for security purposes and VPN capabilities were added. The PIX has one restriction which is it cannot route packets back on the same interface they arrived. The concentrator doesn't have this restriction but depending on your design this issue may not affect you. I prefer the VPN 3000 interface it is very intuitive to configure the VPN tunnels. On the other hand I prefer the debugs displayed by the PIX when I am troubleshooting problems. If you are planning to have a several LAN-to-LAN VPN connections plus VPN clients connecting I then the VPN 3000 concentrator would be the device to use. On the other hand, if you only need a few LAN-to-LAN tunnels and/or VPN clients then the PIX would be the choice since you may already have a PIX but not a VPN concentrator. Anyway that's my two cents...

 

[lgarner]

As I recall, the VPN concentrators also allow only VPN traffic and therefore can't be used as firewalls. So, you'd need a Pix or something else to allow all your non-vpn traffic in and out.