PIX 515 to PIX 515 via Internet & IPSec, should I get a VAC?

Discussion in 'Cisco' started by Scott Townsend, Feb 21, 2006.

  1. We currently have a Point to point T1 connecting 2 Offices and are thinking
    about upgrading the remote office to a 3 Meg internet Connection and having
    it connect to the HQ's 6 Meg Internet connection. HQ currently has a PIX
    515 and runs about 5 Home Office Point to Point IPSec VPN connections and a
    half dozen or so IPSec VPN Clients.

    We were thinking of adding a Pix 515 to the remote office and have it Point
    to Point IPSec VPN into HQ. The Remote office has in it 6-12 people at any
    one time, and 1/2 of them use the connection to get to data at HQ and the
    other half is the internet. Should I bother with adding a VPN Accelerator
    Card (VAC) to the HQ PIX, should I add one to Both? at $3000 each, its a
    pretty steep investment.

    Does anybody know at what point you want to use the VAC in terms of users
    and throughput?

    Scott Townsend, Feb 21, 2006
    1. Advertisements

  2. Scott Townsend

    AM Guest

    If you are not interested in firewall features (it's a hard thing to say :) ) you can use a router. Starting from an 800
    series or 1800.

    I have 5 offices with 10-15 persons connected to Internet throyugh a cisco 800 series.

    AM, Feb 21, 2006
    1. Advertisements

  3. So I could just use my 2620 and install the FW feature set. I've thought of
    that... That is what I do for my house. I have a 1700 there.

    Though adding this office as a secondary presence for some of our internet
    connections seems like a better route for us. Having the PIX there to deal
    with having a DMZ with a DNS Server, and then adding a second Mail Server to
    our Exchange Site and having it as a Backup SMTP Server if there is an Issue
    with the First.

    Scott Townsend, Feb 21, 2006
  4. do you use DES or 3DES between your sites?

    DES would be less processor intensive...

    Scott Townsend, Feb 21, 2006
  5. Scott

    at this point of the game you don't need VAC. At max you can have only
    6 Mbit/s of 3DES encrypted traffic, and for PIX515 it will be "walk in
    the park". Try to avoid using routers without encryption card for VPN,
    they suck. ;-)
    cisco claims - pix515 can do 45Mbit/s (full T3) 3DES without VAC. So
    it's up to you to deside. My point of view - if the company can afford
    to pay every month for a 45Mbit/s of the Internet - they can spend some
    money ONCE to buy a VAC (or better yet 3030 concentrator)

    Roman Nakhmanson
    Roman Nakhmanson, Feb 22, 2006
  6. sorry
    didn't do my homework
    please disregard my notes about 45 M/s for 3DES - lie lie lie
    anyway, we have pix 501 for branches - they do 1.5M/s 3des with no
    and 515 for a HQ with some (8M/s) 3DES traffic. So far, so good

    Roman Nakhmanson
    Roman Nakhmanson, Feb 22, 2006
  7. Thank you for your feedback! I appreciate it!
    Scott Townsend, Feb 22, 2006
  8. The Cisco rating for the 515 (non-E) is 10 megabits/s 3DES.

    I haven't seen more than 1 megabit/s 3DES for a PIX 501 outside of
    the lab bench -- even on a high-bandwidth line, latencies do serious
    damage to throughput.
    Walter Roberson, Feb 22, 2006
  9. that is true, hopefully we have a lot of ftp traffic.
    But some of branches happen to have VoIP phones working thru VPN. the
    sad part - I can not install v7 on 501 pix (v7 has LLQ) 8-(

    Roman Nakhmanson, Feb 22, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.