Hi, I have 10 different VPN tunnels from my Pix520 firewall (500Mhz PIII and 256MB of
RAM) to other Firewalls (Pix and Checkpoint) and Cisco VPN Concentrators. At the moment, all of the tunnels are using 3des, sha and DH group 2 in phase 1. In phase 2, I use 3des and sha1. For security purposes, I would like to add Perfect Forward Secrecy (PFS) to all tunnels. However, I am concerned with the CPU load and memory resources on the pix520. This pix520 firewall will also be used to protect your company web and mail servers (DMZ1). The Oracle database servers are located on another DMZ segment (DMZ2) Furthermore, it will also be used to protect our internal network and as well as accessing the Internet. We don't have the budget to purchase any equipments, not even the VPN Acceleration Card (VAC). The pix is connected to a SDSL router (1.5Mbps up/down). During normal business hours, I notice that the cpu usage is about 40% and memory is usage is about 80MB. In the evening when there is a lot of backing up going on (the backup server is located on the internal network and it backs up all the web mail and database servers). While the servers are being backup, some database replication also takes place between the VPNs. I took a sample of that and the traffic on the "outside" interface maxes out at 1.5 mbps and the traffic between the "inside" and dmz is running at about 60mbps. The cpu usage is about 55% and the memory usage is about 85MB. My question is: should I enable PFS on all the tunnels without bringing down the Pix520 firewalls? Since the pix firewall is running on an Intel CPU, I can always replace the current PIII 500 with another PIII 850 but I don't think cisco would like that. By the way, I am running Pix OS version 6.3(0) build 144. Even when I am running version 6.2(2), the performance is about the same. Anyone has the pix VPN setup with PFS without bringing down the pix, please advise. On another unrelated question: has anyone ever seen the pix firewall using more than 160MB of RAM? My pix firewall has 256MB of RAM but I have never seen it use more than 160MB. Even in lab environment where I hit the firewall with a lot of connections, about 1 millions simutaneous connection of http, https, ftp, telnet, etc... but the pix never uses more than 160MB of RAM. So does it mean on firewall such as Pix535 that can have up to 1GB of RAM, it actually never uses more than 256MB of RAM? Eric --------------------------------- Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, and more Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64169&t=64169 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
