Site to site vpn thoughts

[cross6]

We're looking at setting up a site to site for one of our small branches.

The cable company offers fiber service @ 10 megabits and it's way cheaper than a point 2 point T1.

Is a pix on each end really needed?

I was thinking something like a 17xx series would provide sufficient firewall and ids for this without putting a pix on either end. While providing hardware encryption.


I know from experience that pix's slow down alot with site 2 site tunnels.

thoughts?

 

[cmetz]

I have not had the same experiences with PIXes slowing down so much with site to site tunnels, but most of my PIX experience is at the T1 bandwidth scale. At a higher bandwidth, sure, more tunnels will push you up against the devices' limits and things will slow down.

A 17xx would be great if you added a hardware crypto module and the IOS 3DES/FW license. Guess how much that costs? Might as well get a PIX.

The PIX 501/506e are decent little boxes for the money. They are basically EOL, so plan with them appropriately. Unfortunately, their replacement product line - the ISR router series - is not yet mature enough for production use.

 

[cross6]

Well, we're talking one tunnel to a branch - maybe a few client users - but rarely.

I also mean slow down when being terminated @ the pix.

 

[JRock]

We have site to site tunnels between two of out offices. Equipment on each end are PIX515E and both are on 10Meg circuits provided by Lightpath. Running 3DES at 256 and still see high 8's to mid 9's between sites. Even the PIX501 can handle similar situations if I remember correctly. Except I believe the 501 will only do 128bit. Ayone out there feel free to correct me if I am wrong. This was all just off the top of my head.

IMO if possible I would use the routers to do the VPN Tunnels. You save on hardware and the functionality of the router is far greater then that of the Pix.