[c-nsp] Re: VPN Solutions

Olav Langeland olav.langeland at active24.com
Mon Dec 6 03:57:55 EST 2004 

> -----Original Message-----
> From: Joel Snyder [mailto:Joel.Snyder at Opus1.COM] 
> Sent: 6. desember 2004 04:59
> To: George He
> Cc: sfrancis at fastclick.com; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Re: VPN Solutions
> 
> George He wrote:
> > Hi Joel,
> > 
> > <Quote>
> > 
> > Unfortunately for Cisco fans, they have never been able to 
> successfully 
> > put site-to-site IPsec and remote access IPsec into the 
> same box.  But 
> > They're both there, but Altiga's site-to-site is awful, and IOS/PIX 
> > remote access is double awful.  So you have to buy two 
> boxes if you like
> > the all-Cisco solution.
> > 
> > </Quote>
> > 
> > I'm not sure the exactly meaning of your message. I know 
> that IOS/PIX
> > remote access VPN is not good, but Remote VPN and 
> Site-to-Site VPN can
> > work on PIX at same time without any problem. 
> 
> Sorry, I wasn't very clear.  Yes, you can do site-to-site & remote 
> access on IOS, you can do them on PIX, and you can do them on Altiga. 
> they both do work (for some definition of "work" which often 
> means "can 
> be made to work with compromises.")  What I meant is that if you want 
> good remote access, you buy a Cisco 3000 (Altiga) box; if you 
> want to do 
> site-to-site, you buy an IOS box or perhaps a PIX.  But you cannot do 
> large deployments of both successfully from the same box, 
> because while 
> the Altiga scales beautifully for large numbers of remote 
> access users, 
> the same is not true of site-to-site.  And, while you can 
> coerce the IOS 
> or PIX boxes into doing site-to-site pretty well, they are absolutely 
> unmanageable/unscalable for remote access except in the most 
> trivial of 
> deployment environments.
> 
> So it's not that it doesn't work; it's just that it doesn't 
> "work."  If 
> you've got 3 sites and 12 remote access users, you won't notice the 
> difference very much, but if you have 30 or 300 sites and 
> 1200 or 12,000 
> remote access users, it's another case entirely.  Unless you buy two 
> different boxes, in which case you'll probably be able to construct a 
> happy solution.
> 
> jms

This is also our experience. We use the Cisco (Altiga) VPN3000
concentrators for remote access and some site-to-site, and Cisco Pix for
most of the site-to-site connections. Both can be configured with
remote-access and site-to-site, but the best solution IMHO is to split
remote-access (client-to-site) to VPN3000 Concentrators and site-to-site
to Pix (or IOS). Both have been rock solid so far.

-olav

More information about the cisco-nsp mailing list