Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco PIX 501 VPN Setup with PIX 520 or VPN Concentrator 3000

Status
Not open for further replies.
shakamon

shakamon

MIS
Joined
Feb 4, 2002
Messages
103
Location
US
I have a Cisco PIX 520 in my location as well as a Cisco VPN Concentrator 3000. What I would like to do is have a branch office connect back to my location using a PIX 501 using an IPSEC VPN. But I do not want to tunnel the internet traffic, I want to keep that local.

So my first question is can I terminate the 501 VPN to the concentrator, give the branch office its own internal subnet, local internet access with statefull firewall, and thats it? Do I need to configure anything else?

I ask, because on my PIX I have other office to office GRE VPN's set up, but I have my virtual tunnel interfaces and loopback addresses on layer 3 devices. I dont want to have to deal with these in my branch offices. I just want a simple plug in.

My second question is this. This summer , the 520's go out of support and I am thinking of going with the ASA 5500's which combine the PIX (firewall) and Concentrator (vpn client terminations) functions as well as some IPS functionality. So I would like to know if this ASA will still accept the branch office VPN's from PIX 501's?

Any suggestions woud be great.

"Only the dead fish follow the stream"
 
Sort by date Sort by votes
The VPN Concentrator 3000 can terminate site-based VPN sessions and client-based VPN sessions, so the PIX 501 can terminate it's VPN session to the VPN Concentrator.

The branch office can use a local private network, you would need to configure NAT on the branch office PIX to allow access to the Internet, and you would configure split-tunneling (the acls that indicate which networks will use the VPN tunnel). Upfront thoe are some of the major considerations


The ASA5500 series will accomplish the same objective as the PIX (and then some as you noted). Just make sure to look into the different ASA software types that are available. ASA has such software/hardware-sets as "VPN Premium, " VPN Plus", and 'Security Plus" including additional modules (FW+AIP-SSM, etc) that may be required for your ASA appliance. Things to consider based on your environment. Cisco's website has some of good literature with ASA especially with some common design recommendations. Just a few suggestions.

Hope that helps a little.

cf



 
Upvote 0 Downvote
So do you think the 501 will still terminate into the ASA? I cannot seem to find the documentation on that one.

"Only the dead fish follow the stream"
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Blackybear
  • Locked
  • Question Question
Cisco RV042G router
Replies
0
Views
353
Blackybear
Blackybear
CPM86
  • Locked
  • Question Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
581
CPM86
CPM86
B
  • Locked
  • Question Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
422
badwolf1686
B
pbxcomm
  • Locked
  • Question Question
CISCO VG450
Replies
1
Views
858
nt8d09
nt8d09
Skip Rango
  • Locked
  • Question Question
how to backup cisco sg500-52p switch
Replies
1
Views
821
madwok
madwok

Part and Inventory Search

Sponsor

Back
Top