Which PIX?

Discussion in 'Cisco' started by Mike, May 17, 2005.

  1. Mike

    Mike Guest

    We presently have a 501 on an SDSL line and are interested in creating
    a VPN to give roughly 50 users in 10 remote offices access to Exchange.
    We also want some people to be able to get to the network from home.

    One of our consultants says the 501 is fine, and just needs software
    upgrades. Another says we need a 515E. In reading this group, I noticed
    there is a 506E that would probably work well.

    Which will give the best bang for the buck?

    In a partly-related issue, since we already have a Citrix box
    (T-1+501), might we be better off using it instead of a VPN? It is
    dedicated to one application and would need additional licenses and
    hardware.

    Thanks.

    Mike
     
    Mike, May 17, 2005
    #1
    1. Advertising

  2. In article <>,
    Mike <> wrote:
    :We presently have a 501 on an SDSL line and are interested in creating
    :a VPN to give roughly 50 users in 10 remote offices access to Exchange.
    :We also want some people to be able to get to the network from home.

    :One of our consultants says the 501 is fine, and just needs software
    :upgrades.

    There is no software upgrade on the 501 that allows you to exceed
    the 10 peer limit. You say "10 remote offices", but the "peer" limit
    includes some ways of configuring remote users (e.g., teleworkers,
    out of town staff that need to connect throguh.)

    There are also expressed throughput limits for VPN connections
    on the 501 that are -much- lower than the rated encryption speed.
    I take those throughput limits with several grains of salt, seeing
    as they date from before the 501 performance was substantially
    improved, but I would be significantly concerned about whether a 501
    could handle 50 VPN users.

    :Another says we need a 515E. In reading this group, I noticed
    :there is a 506E that would probably work well.

    I wouldn't trust a 501 for that much traffic without a fair bit
    of traffic simulation. The cost of -doing- that traffic simulation
    would be -far- higher than the cost of going for a 506E, which is
    a noticably faster device with no per-user license limits, and with
    a limit of 25 peers instead of 10. The 506E also supports a DMZ
    (though not as cleanly as the 515E.)

    In other words, I wouldn't seriously consider the 501 for the
    application unless the capital budget was very tight but there is
    an excess of spare time available to the network/security administrators.

    506E vs 515E... that's where the question starts to get interesting.
    What's the rated bandwidth of the SDSL line, and what's the expected
    amount of Exchange traffic? We find that different internal groups
    vary considerably on volumes of Exchange traffic -- the more business
    related groups tend to pass around large documents in email.
    I found a case the other day where a business logo that was less than
    1" by 1" onscreen took more than 750Kb, mime encoded to a megabyte.


    : Which will give the best bang for the buck?

    Over the short-term, that turns out not to be the most interesting
    question.

    Exchange turns out to be a real nuisance to firewall properly.
    Or at least Exchange 2000 was; we're still settling into Exchange 2003.
    I don't know whether it was just because we have peered Exchange
    servers, but ... well, best not to get me started on all of the
    problems :( Even if your VPNs are wide open and you are using static
    public IPs everywhere, you cannot handle Exchange 2000 properly
    with a PIX 6.x series firewall.

    PIX 7.0(1) has "transparent" "layer 2" firewalls, and has is
    supposed to have noticable improvements in it's handling of RPC
    (remote procedure call.) It still doesn't really groove NETBIOS
    if I interpret the notes correctly, but -potentially- you could
    skip the major problesm by going Layer 2 instead of Layer 3.

    PIX 7.0(1) is available for the 515E (memory upgrade recommended),
    but is -not- available for the 506E; we have no definite word as
    to whether it ever will be. Different people have, in good faith,
    posted indicating that they had been told different answers.

    You have a -better- chance of dealing with Exchange with a 515E with
    7.0(1)... on the other hand, you know what they say about
    never deploying a dot-zero or dot-one release in a production environment!

    Also, when I say that there are problems, it's pretty difficult to
    say whether the users will ever notice those problems. Our users
    often report problems with Exchange, but those problems are difficult
    to correlate against particular network events; as best we can tell,
    a fairly high percentage of the reported problems would occur even
    if there were absolutely no firewall in place.


    :In a partly-related issue, since we already have a Citrix box
    :(T-1+501), might we be better off using it instead of a VPN? It is
    :dedicated to one application and would need additional licenses and
    :hardware.

    Having your remote users Citrix over to the same subnet as your
    Exchange server would likely sidestep a number of Exchange problems.
    But it wouldn't be nearly as fast or user-friendly as having Outlook
    right on every desktop.


    What Exchange features do your users use? If it is -just- the
    email and address books, then you can save a lot of trouble by using ldaps
    together with imaps or pop3s, rather than having the full suite of
    Microsoft protocols eroding your sanity.

    --
    History is a pile of debris -- Laurie Anderson
     
    Walter Roberson, May 17, 2005
    #2
    1. Advertising

  3. > What Exchange features do your users use? If it is -just- the
    > email and address books, then you can save a lot of trouble by using

    ldaps
    > together with imaps or pop3s, rather than having the full suite of
    > Microsoft protocols eroding your sanity.


    Group calendars and address books figured prominently in the decision
    to go to Exchange. Unfortunately, we didn't appreciate how involved it
    would be to roll Exchange out to the field.

    BTW, is there an easy way to tell what O/S version a PIX is running? A
    consultant asked us this and we just shrugged.
     
    Michael S. Trachtenberg, May 18, 2005
    #3
  4. In article <>,
    Michael S. Trachtenberg <> wrote:
    :BTW, is there an easy way to tell what O/S version a PIX is running? A
    :consultant asked us this and we just shrugged.

    show version

    and look at the first two non-blank lines.
    --
    Entropy is the logarithm of probability -- Boltzmann
     
    Walter Roberson, May 18, 2005
    #4
  5. In article <>,
    Michael S. Trachtenberg <> wrote:
    :Group calendars and address books figured prominently in the decision
    :to go to Exchange. Unfortunately, we didn't appreciate how involved it
    :would be to roll Exchange out to the field.

    Practically nothing about Exchange 2000 works the way Microsoft
    documents it to; at least not if you are accessing a remote Exchange
    2000 server and doing NT style authentication to do so.

    I haven't had time to analyze the behaviour with Exchange 2003 as yet.


    Convincing the Exchange admins that access to services is a mess
    is, unfortunately, more than a little difficult. I'm not sure why
    that is so, as the evidence is abundantly clear in our PIX logs :(

    The one thing I can think of in this regard is that if I am correct,
    that they would have to -do- something about it -- something such as
    getting rid of Exchange and/or NT domain authentication -- and so I must
    not be right, or my findings must not be important.
    --
    Feep if you love VT-52's.
     
    Walter Roberson, May 18, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Richard

    PIX to PIX to PIX meshed VPN

    Richard, Nov 13, 2003, in forum: Cisco
    Replies:
    1
    Views:
    624
    Richard
    Nov 15, 2003
  2. Remco Bressers
    Replies:
    1
    Views:
    535
    Jyri Korhonen
    Nov 21, 2003
  3. Bill F
    Replies:
    1
    Views:
    449
    Walter Roberson
    Nov 25, 2003
  4. GVB
    Replies:
    1
    Views:
    2,875
    Martin Bilgrav
    Feb 6, 2004
  5. The Jesus of Suburbia

    Microcontrollers: which one ? which language ? which compiler ?

    The Jesus of Suburbia, Feb 11, 2006, in forum: NZ Computing
    Replies:
    2
    Views:
    542
Loading...

Share This Page