[c-nsp] Re: VPN Solutions

[Lawrence Wong]

Thanks all for the invaluable feedback and
suggestions.

I was thinking of either the Cisco PIX/IOS & Netscreen
as these boxes are already in place at my office site
doing just firewalling. So being able to recycle them
would lead to cost savings.

But one thing I'm not sure is the VPN client licensing
as for example the PIX 515e that we had comes with
3DES/AES licensed. But no mentioned about whether we
need to purchase additional client software or it's
"free". The same applies to our Netscreen-50.

I was testing out the PIX earlier and VPN works fine.
However, does anyone know how I can see who are the
loggined users at anyone time? The docs do not appear
to mention about it.

TIA!

--- Olav Langeland <olav.langeland at active24.com>
wrote:

> > -----Original Message-----
> > From: Joel Snyder [mailto:Joel.Snyder at Opus1.COM] 
> > Sent: 6. desember 2004 04:59
> > To: George He
> > Cc: sfrancis at fastclick.com;
> cisco-nsp at puck.nether.net
> > Subject: Re: [c-nsp] Re: VPN Solutions
> > 
> > George He wrote:
> > > Hi Joel,
> > > 
> > > <Quote>
> > > 
> > > Unfortunately for Cisco fans, they have never
> been able to 
> > successfully 
> > > put site-to-site IPsec and remote access IPsec
> into the 
> > same box.  But 
> > > They're both there, but Altiga's site-to-site is
> awful, and IOS/PIX 
> > > remote access is double awful.  So you have to
> buy two 
> > boxes if you like
> > > the all-Cisco solution.
> > > 
> > > </Quote>
> > > 
> > > I'm not sure the exactly meaning of your
> message. I know 
> > that IOS/PIX
> > > remote access VPN is not good, but Remote VPN
> and 
> > Site-to-Site VPN can
> > > work on PIX at same time without any problem. 
> > 
> > Sorry, I wasn't very clear.  Yes, you can do
> site-to-site & remote 
> > access on IOS, you can do them on PIX, and you can
> do them on Altiga. 
> > they both do work (for some definition of "work"
> which often 
> > means "can 
> > be made to work with compromises.")  What I meant
> is that if you want 
> > good remote access, you buy a Cisco 3000 (Altiga)
> box; if you 
> > want to do 
> > site-to-site, you buy an IOS box or perhaps a PIX.
>  But you cannot do 
> > large deployments of both successfully from the
> same box, 
> > because while 
> > the Altiga scales beautifully for large numbers of
> remote 
> > access users, 
> > the same is not true of site-to-site.  And, while
> you can 
> > coerce the IOS 
> > or PIX boxes into doing site-to-site pretty well,
> they are absolutely 
> > unmanageable/unscalable for remote access except
> in the most 
> > trivial of 
> > deployment environments.
> > 
> > So it's not that it doesn't work; it's just that
> it doesn't 
> > "work."  If 
> > you've got 3 sites and 12 remote access users, you
> won't notice the 
> > difference very much, but if you have 30 or 300
> sites and 
> > 1200 or 12,000 
> > remote access users, it's another case entirely. 
> Unless you buy two 
> > different boxes, in which case you'll probably be
> able to construct a 
> > happy solution.
> > 
> > jms
> 
> This is also our experience. We use the Cisco
> (Altiga) VPN3000
> concentrators for remote access and some
> site-to-site, and Cisco Pix for
> most of the site-to-site connections. Both can be
> configured with
> remote-access and site-to-site, but the best
> solution IMHO is to split
> remote-access (client-to-site) to VPN3000
> Concentrators and site-to-site
> to Pix (or IOS). Both have been rock solid so far.
> 
> -olav
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at
> http://puck.nether.net/pipermail/cisco-nsp/
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com