Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > how many simulatneous site to site VPN tunnels PIX 501?

Reply
Thread Tools

how many simulatneous site to site VPN tunnels PIX 501?

 
 
JohnC
Guest
Posts: n/a
 
      11-23-2004
Is 10 the software limit on the site to site vpn tunnels on the pix 501?

Do the tunnels stay up all the time or is it like the 3030 concentrator
where the tunnels only connect when there is 'interesting traffic'?

Would we be better off with a 3005 concetntrator instead of pressing the pix
501 to be the head end device?

The scenario is home office with 501 behind a 1721 front ending a full T1,
branch offices with possibly pix 501 or smc 7004, etc. connected to dsl or
business cable with static IPs.
thanks,
John




 
Reply With Quote
 
 
 
 
PES
Guest
Posts: n/a
 
      11-23-2004
JohnC wrote:
> Is 10 the software limit on the site to site vpn tunnels on the pix 501?
>
> Do the tunnels stay up all the time or is it like the 3030 concentrator
> where the tunnels only connect when there is 'interesting traffic'?
>
> Would we be better off with a 3005 concetntrator instead of pressing the pix
> 501 to be the head end device?
>
> The scenario is home office with 501 behind a 1721 front ending a full T1,
> branch offices with possibly pix 501 or smc 7004, etc. connected to dsl or
> business cable with static IPs.
> thanks,
> John
>
>
>
>

You won't hear me making this recommendation often, but it sounds like
you may be a small business. As such, it may make sense to use a Cisco
1841 security bundle in place of the 1721 and 501. The existing 501
could be re-deployed in a remote site. The 1841 has two ethernet (one
of which could be used for a dmz) interfaces and can accept the wan card
that is currently in the 1721. Also, it has hardware encryption built
into the system board. To get all of this functionality into the 1721,
your cost would approach that of the higher performance 1841. Please
note that the 1841 is built out of the box to pass traffic (it is a
router) where the pix is built out of the box to restrict traffic. This
solution will work for a lot of small business though, if it is
configured properly. Just note a configuration error is more likely to
fail to open instead of fail to close. Cisco's typical recommendation
is the concentrator for vpn clients and routers for robust lan to lan vpns.

As to answer your question I can't, but I bet Walter can and will off
the top of his head. One design flaw with the Pix at the headend is
that you cannot route to other remote sites from a remote site. This
can work with a router or a concentrator.

--
-------------------------
Paul Stewart
Lexnet Inc.
Email address is in ROT13
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      11-23-2004
In article <41a2a4ff$(E-Mail Removed)>, PES <(E-Mail Removed)> wrote:
>JohnC wrote:

:> Is 10 the software limit on the site to site vpn tunnels on the pix 501?

Not exactly.

In 6.1 and 6.2, the relevant limit is 5. In 6.3 the limit became 10.

The limit is not of the number of vpn tunnels, but rather of the number
of different isakmp peers. The distinction is that you may have a
number of different security associations for any one isakmp peer.
Each permit line in the crypto map match-address clause will result
in another security association. There is no documented restriction
that would prevent you from having multiple crypto map policies that
had the same peer. But notice that if you have a crypto map that has
multiple [different] peers (for redundancy) then each of the peers
would be a different isakmp peer and would count against the limit.

I believe the limit is on the number of -simultaneous- isakmp peers,
so in the redundancy case normally one peer would have "disappeared"
before the other was created -- but when the other comes back up
then if for any reason it gets any traffic matching it's crypto map
then it is going to try to connect back to you and at least during
the early phases of the negotiation you are going to have two
distinct peers. [There are some oddities around what happens when a
redundant peer attempts to connect when the other is already connected.]



:> Do the tunnels stay up all the time or is it like the 3030 concentrator
:> where the tunnels only connect when there is 'interesting traffic'?

The first time the tunnel sees interesting traffic, it will come up,
and it will stay up for -at least- the lifetime you have assigned
in the isakmp setup. It will then renegotiate its session key and will
stay up an additional instance of the lifetime. If during that second
life, there was any matching traffic *at all* (even one byte), then
it'll renegotiate and stay up a third instance, and so on. In other words,
the tunnel will always stay up an integral multiple of the assigned
lifetime, and it won't go down by itself unless during the last of
those lives there was no traffic on the tunnel. A single tcp keepalive
can end up with the tunnel staying up indefinitely.

If you wanted the tunnel to "only connect when there is interesting
traffic', then you should set the tunnel lifetime to be very short,
and ensure you have no keepalives set for anything.


:> Would we be better off with a 3005 concetntrator instead of pressing the pix
:> 501 to be the head end device?

If you are going to be close to the tunnel maximum and you haven't
already purchased the 501, then you would likely be better off with
a 506e instead. The 506/506e has a limit of 25 isakmp peers as of 6.3.


:> The scenario is home office with 501 behind a 1721 front ending a full T1,
:> branch offices with possibly pix 501 or smc 7004, etc. connected to dsl or
:> business cable with static IPs.

:You won't hear me making this recommendation often, but it sounds like
:you may be a small business. As such, it may make sense to use a Cisco
:1841 security bundle in place of the 1721 and 501.

Paul is correct, the older 1721 Security Bundles are selling for pretty
much the same price as the 1841.

:The existing 501
:could be re-deployed in a remote site. The 1841 has two ethernet (one
f which could be used for a dmz) interfaces and can accept the wan card
:that is currently in the 1721. Also, it has hardware encryption built
:into the system board.

The 1721 has hardware encryption as well.
--
"There are three kinds of lies: lies, damn lies, and statistics."
-- not Twain, perhaps Disraeli, first quoted by Leonard Courtney
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
2 simultaneous site to site VPN tunnels with 3 PIX maction555@gmail.com Cisco 4 08-15-2007 03:23 AM
Number of IKE Tunnels and IPSec Tunnels philbo30 Cisco 1 04-12-2007 02:16 AM
Tunnels accesing other tunnels on concentrator ljorg Cisco 0 11-22-2006 01:43 PM
Simulatneous declare/initialize member variable Fred Ma C++ 10 06-04-2004 07:11 AM
Bandwidth usage on PIX to PIX ipsec vpn tunnels Paul McLaren Cisco 3 07-17-2003 09:58 PM



Advertisments