Cisco Pix - how many clients or peer sites supported?

Question

I read that a cisco pix 506e supports up to 25 vpn peers (sites), and unlimited clients (machines connected with the cisco vpn software?).

The lowest cost option would seem to be to install the vpn software on all the remote clients (desktops,laptops) - currently about 100 machines.

Does this seem reasonable, or is there a good reason to buy a vpn router for some of the remote sites that have 5 or 10 machines and use that to connect their networks in?

I hate the term 'unlimited', is the limit based on the internet bandwidth in that case, or ?

Answer 1

There are two limitations with most of these VPN devices, licenses and CPU.

The license will restrict how many clients of each type the device will let you connect, as well as the type of encryption you can use and other features. If you need more you upgrade the license.

The other restriction is on the performance of the unit, most often the amount of encryption the CPU (or CPU and hardware acceleration cards) can handle. This depends on the level of encryption used, for example with 168bit 3DES IPSec the PIX 506e will do 16Mbps, with lesser 56bit DES it can push 20Mbps of crypto traffic [reference].

There are two things you might consider here, how much traffic your clients are going to generate and how you're going to manage all those clients.

If your clients are only occasionally access pages on an intranet or wiki over their VPN connections then 16Mbps may be enough bandwidth for your 100 users, but if they're doing more intensive work then you might have to look again.

Next is management, if you install 100 individual VPN clients then you've got 100 things which can break, lose configuration which you need to support. Depending on the resources available you might find it easier to maintain a site to site VPN to the larger concentrations of users so you only manage one device connecting, say, 10 users rather than 10 individual connections.