PIX 515 to PIX 515 via Internet & IPSec, should I get a VAC?

We currently have a Point to point T1 connecting 2 Offices and are thinking
about upgrading the remote office to a 3 Meg internet Connection and having
it connect to the HQ's 6 Meg Internet connection. HQ currently has a PIX
515 and runs about 5 Home Office Point to Point IPSec VPN connections and a
half dozen or so IPSec VPN Clients.

We were thinking of adding a Pix 515 to the remote office and have it Point
to Point IPSec VPN into HQ. The Remote office has in it 6-12 people at any
one time, and 1/2 of them use the connection to get to data at HQ and the
other half is the internet. Should I bother with adding a VPN Accelerator
Card (VAC) to the HQ PIX, should I add one to Both? at $3000 each, its a
pretty steep investment.

Does anybody know at what point you want to use the VAC in terms of users
and throughput?

Thanks,
Scott<-

 

Scott Townsend wrote:

> We currently have a Point to point T1 connecting 2 Offices and are thinking
> about upgrading the remote office to a 3 Meg internet Connection and having
> it connect to the HQ's 6 Meg Internet connection. HQ currently has a PIX
> 515 and runs about 5 Home Office Point to Point IPSec VPN connections and a
> half dozen or so IPSec VPN Clients.
>
> We were thinking of adding a Pix 515 to the remote office and have it Point
> to Point IPSec VPN into HQ.

If you are not interested in firewall features (it's a hard thing to say ) you can use a router. Starting from an 800
series or 1800.

I have 5 offices with 10-15 persons connected to Internet throyugh a cisco 800 series.

Alex.

 

So I could just use my 2620 and install the FW feature set. I've thought of
that... That is what I do for my house. I have a 1700 there.

Though adding this office as a secondary presence for some of our internet
connections seems like a better route for us. Having the PIX there to deal
with having a DMZ with a DNS Server, and then adding a second Mail Server to
our Exchange Site and having it as a Backup SMTP Server if there is an Issue
with the First.

Thanks,
Scott<-
"AM" <> wrote in message
news:8SJKf.2194$...
> Scott Townsend wrote:
>
>> We currently have a Point to point T1 connecting 2 Offices and are
>> thinking about upgrading the remote office to a 3 Meg internet Connection
>> and having it connect to the HQ's 6 Meg Internet connection. HQ
>> currently has a PIX 515 and runs about 5 Home Office Point to Point IPSec
>> VPN connections and a half dozen or so IPSec VPN Clients.
>>
>> We were thinking of adding a Pix 515 to the remote office and have it
>> Point to Point IPSec VPN into HQ.
>
> If you are not interested in firewall features (it's a hard thing to say
> ) you can use a router. Starting from an 800 series or 1800.
>
> I have 5 offices with 10-15 persons connected to Internet throyugh a cisco
> 800 series.
>
> Alex.

 

do you use DES or 3DES between your sites?

DES would be less processor intensive...

thanks,
Scott<-
"AM" <> wrote in message
news:8SJKf.2194$...
> Scott Townsend wrote:
>
>> We currently have a Point to point T1 connecting 2 Offices and are
>> thinking about upgrading the remote office to a 3 Meg internet Connection
>> and having it connect to the HQ's 6 Meg Internet connection. HQ
>> currently has a PIX 515 and runs about 5 Home Office Point to Point IPSec
>> VPN connections and a half dozen or so IPSec VPN Clients.
>>
>> We were thinking of adding a Pix 515 to the remote office and have it
>> Point to Point IPSec VPN into HQ.
>
> If you are not interested in firewall features (it's a hard thing to say
> ) you can use a router. Starting from an 800 series or 1800.
>
> I have 5 offices with 10-15 persons connected to Internet throyugh a cisco
> 800 series.
>
> Alex.

 

Scott Townsend wrote:
> We currently have a Point to point T1 connecting 2 Offices and are thinking
> about upgrading the remote office to a 3 Meg internet Connection and having
> it connect to the HQ's 6 Meg Internet connection. HQ currently has a PIX
> 515 and runs about 5 Home Office Point to Point IPSec VPN connections and a
> half dozen or so IPSec VPN Clients.
>
> We were thinking of adding a Pix 515 to the remote office and have it Point
> to Point IPSec VPN into HQ. The Remote office has in it 6-12 people at any
> one time, and 1/2 of them use the connection to get to data at HQ and the
> other half is the internet. Should I bother with adding a VPN Accelerator
> Card (VAC) to the HQ PIX, should I add one to Both? at $3000 each, its a
> pretty steep investment.
>

Scott

at this point of the game you don't need VAC. At max you can have only
6 Mbit/s of 3DES encrypted traffic, and for PIX515 it will be "walk in
the park". Try to avoid using routers without encryption card for VPN,
they suck. ;-)

> Does anybody know at what point you want to use the VAC in terms of users
> and throughput?

cisco claims - pix515 can do 45Mbit/s (full T3) 3DES without VAC. So
it's up to you to deside. My point of view - if the company can afford
to pay every month for a 45Mbit/s of the Internet - they can spend some
money ONCE to buy a VAC (or better yet 3030 concentrator)

regards
Roman Nakhmanson

 

sorry
didn't do my homework
please disregard my notes about 45 M/s for 3DES - lie lie lie
anyway, we have pix 501 for branches - they do 1.5M/s 3des with no
issues
and 515 for a HQ with some (8M/s) 3DES traffic. So far, so good

Roman Nakhmanson

 

Thank you for your feedback! I appreciate it!

"Roman Nakhmanson" <> wrote in message
news:...
> sorry
> didn't do my homework
> please disregard my notes about 45 M/s for 3DES - lie lie lie
> anyway, we have pix 501 for branches - they do 1.5M/s 3des with no
> issues
> and 515 for a HQ with some (8M/s) 3DES traffic. So far, so good
>
> Roman Nakhmanson
>

 

In article <>,
Roman Nakhmanson <> wrote:
>sorry
>didn't do my homework
>please disregard my notes about 45 M/s for 3DES - lie lie lie
>anyway, we have pix 501 for branches - they do 1.5M/s 3des with no
>issues
>and 515 for a HQ with some (8M/s) 3DES traffic. So far, so good

The Cisco rating for the 515 (non-E) is 10 megabits/s 3DES.

I haven't seen more than 1 megabit/s 3DES for a PIX 501 outside of
the lab bench -- even on a high-bandwidth line, latencies do serious
damage to throughput.

 

that is true, hopefully we have a lot of ftp traffic.
But some of branches happen to have VoIP phones working thru VPN. the
sad part - I can not install v7 on 501 pix (v7 has LLQ) 8-(

Roman