[VPN] Question for site to site VPN

Dana J. Dawson djdawso at qwest.com
Mon Mar 24 14:16:56 EST 2003

In general, Cisco usually recommends routers as the preferred 
site-to-site platform, and concentrators for remote client access, 
though both boxes can do both functions (but not equally well).  The PIX 
can also be used for both, but it's a better site-to-site box than 
remote client box.

It would be unusual to use an address pool for a site-to-site 
configuration, since the sites will almost certainly have their own 
existing LAN that will already be addressed, and they'll already have a 
public address to be used to access the Internet.  In fact, I'm having a 
hard time imagining how a pool would be used in a site-to-site scenario, 
unless you plan to NAT the remote addresses so they all appear to be 
using addresses that are more convenient at the main site for some 
reason.  In that case, the specifics of your NAT requirements will 
probably dictate whether you want a pool for dynamic one-to-one NAT, 
PAT, or some other design.  The routers are the most flexible NAT boxes, 
closely followed by the PIX, and then the 3000 (which is much more 
limited in its NAT features).

For remote client access, all the customers can use the same address 
pool.  However, if you want to provide different address pools or static 
addressing per customer for whatever reason, you'll probably find that a 
3000 series concentrator is easier and more flexible than the routers or 




Dana J. Dawson                     djdawso at qwest.com
Senior Staff Engineer              CCIE #1937
Qwest Communications               (612) 664-3364
600 Stinson Blvd., Suite 1S        (612) 664-4779 (FAX)
Minneapolis  MN  55413-2620

"Hard is where the money is."

Roger Qian wrote:
> Thank you Dana, if not using PIX, what Cisco device is better for the site
> to site VPN, router or concentrator? Can all customers share a same IP
> address pool?
> Roger

More information about the VPN mailing list