In article , Nicolas W. wrote: :jvel7 wrote: :> I have a pix 501 with IOS 6.3 which I would like to setup as a vpn :> server. I have the outside interface with dhcp and the inside is :> serving ip addresses. Can someone provide some ideas or links on how :> to properly configure this as VPN with RADIUS (Microsoft IAS).
:NO WAY
:even if possible, a 501 is too weak.
The 501 should be able to handle about 3 megabits per second of AES-128 (official rating: 4.5 megabits per second.) It should be able to handle over 2 megabits per second of 3DES.
The 501 does not support Turbo ACLs, VLANs, OSPF, expansion interfaces, or floppy drives, but otherwise supports all features that the larger PIX models support.
It is not suitable as a "hub" in a hub-and-spoke VPN architecture (i.e., the devices connecting in will not be able to communicate with each other).
Provided that one is satisfied with the maximum of 10 peers, and the aggregate sustained throughput of the peers is not expected to exceed
2-3 megabits/s then the 501 should be fine.
Points of comparison:
- I've never seen our 501's exceed 10% CPU usage
- The -peek- 5-minute traffic that we have ever recorded on our PIX 525 connected to a gigabit pipe, is 2 megabits per second. We typically have 1200 to 3200 simultaneous translations on that 525. We aren't an ISP: the point is that even with over 125 researchers (and 3 times that many desktops), the average traffic rate would in theory fit into a 501.
- What I -have- seen on a 501 is running out of memory, on our 501 that acts as a regional hub. Our other 501's with nearly identical configurations do not run into this issue, so it's a function of traffic.