[c-nsp] What product for a VPN Gateway/backend network

[Drew Weaver]

                Hi there. We are currently developing plans for a back-end private network which will be front-ended by a VPN gateway. Currently all servers are connected to the network using public IP addresses, this won't change but we would like to be able to simply pop a NIC in a machine, assign it a private IP address and have the functionality of secure management (rather than users running SSH/RDP over the public internet..yikes)

So far we've come up with 3 options for the VPN solution but we're not sure which would fit our goals the best.

The L3 switch for the private network will be a 6500, so the VPN services cards (WebVPN, etc) are interesting to us, does anyone have any experience with WebVPN they'd like to share?
We're obviously evaluating using a PIX/ASA for the VPN gateway.
And due to a long standing relationship with WatchGuard we are also considering one of their 'Peak' Products.

Also, as we have 5 different datacenter "areas" in our main facility, we are thinking about using multiple smaller 48 port switches in each area and then simply aggregating them back to the 6500, I'm guessing that since we definitely wouldn't want the servers to see each other (netbios, etc) in the private network we would want to create VLANs on the 6500 and then tag them for the 48 port switches to handle the access?

Any advice anyone can offer based upon experience is greatly appreciated.

Thank you,
-Drew