VPN Concentrator.. pros and cons?!? 1

[geranimo666]

All-

Hope everyone's technical day is successful!

Well, our company has tossed around the idea of purchasing a VPN Concentrator although we have a very successful VPN situation running on our PIX 515.. can anyone provide what essentially a Concentrator from Cisco would buy me since I've got 25 users happily using their Cisco clients via the PIX?

I also have the users further authenticate to our AD Domain via Windows 2003 Server IAS (I just mentioned that as trivial knowledge BTW!)

thanks for any support

geranimo

 

[Supergrrover]

For 25 connections and things working, leave it as is. If you expect a significant rise in users or traffic through the device - upgrade to a 5500. (these are pretty solid. I have been happy with all of these I have put out.)


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[baddos]

I beleive the concentrator is discontinued and they are pushing people off to their new ASA firewalls. They are basically PIXs w/ better VPN and service support.

 

[BuckWeet]

Since you have a PIX 515 don't even buy an ASA or Concentrator.. If you don't have it, go ahead and purchase the accelerator card for the 515 and upgrade to the newer PIX 7 or 8 software (this is the same software that the ASA runs)


BuckWeet

 

[geranimo666]

Thank you all -really solid information..

Unfortunately, it seems as though the customer already has PIX's in place as well as a VPN Concentrator 3xxx series. Looks like a salesman was looking to make quota or just didn't know all the capabilities of the PIX..

Thanks again
geranimo

 

[brianinms]

Just an FYI the pix series and concentrators will both be End of Lifed in the near future.

 

[geranimo666]

thanks brianinms as well!

geranimo

 

[geranimo666]

Brianms-

I have a VPN Concentrator question and hoping you've used the 3000 Series product at all..

I am just setting up a user with all access VPN via the VPN 3005 concentrator.. recieving error "Number 1, database file cannot be read into memory (map)"

Any clue? perhaps a corrupted database?

any support would be great

geranimo

 

[brianinms]

I am confused, where are you receiving that error?

 

[geranimo666]

hi brianinms,

figured it out to all here...

basically we were out of disk space on the D: storage drive where basically everything gets copied to SQL.. therefore, no diskspace - no ability to add new users to the concentrator...
thx
geranimo

 

[geranimo666]

Just one more question to all here..

Would the ASDM upgrade on my ASA appliance allow me to manage my VPN sessions, create users -place them in the VPN pool via the ASDM gui.. or am I asking for too much here..

I am used to just doing this using CLI on a PIX (any series) but other admins may want a graphic view of how to manage our VPN structure and it's users..

Any info would be great!! and thanks again

geranimo

 

[pmoorey]

Hi,

You can use the Java based GUI to configure all aspects of the firewall.

The ASDM GUI is much improved on PDM (Pix Device Manager) and is very usable.

Regards,

Peter
CCNA, Cisco Qualified Specialist

 

[geranimo666]

thanks Peter... good info..

Hey, we have an ASA5510.. can it also do Intrusion Protection as well right out of the box? or do I need to either check the IOS ver, and buy physical modules.. just curious and haven't had a chance to research this further so any additional info you can provide would be fantastic!

thanks again

Geranimo

 

[boymarty24]

Some ASA comes bundled with the AIP module. If you dont have you need to buy it. The ASA provides some basic Intrusion Prevention though

 

[geranimo666]

Thanks boymarty.. would you know off hand what it would cost for the mod, just in case I had to purchase it?

if I do a sho ver, would it depict whether or not the mod is installed? I suppose it should...

thanks either way
geranimo

 

[chinkle]

Hi geranimo... I found your posts and we're in a similar situation, I think. We've got a PIX 515E in one location and a Cisco 1812 in another, doing VPN between them. We're considering getting a couple VPN 3000 concentrators (because we've got a source that can get them inexpensively) because the connection between the two is kind of iffy, even though it's a low-traffic connection. I'd love to hear what you took into consideration with your acquisition.

Thanks,
chinkle

 

[brianinms]

The concentrators will be End of Life'd in the near future by Cisco as all the functionality is now ported to the ASA's. The encryption throughput of an ASA 5505 far exceeds the performance of a 3005 or even a 3015.