DATA SHEETCISCO IPSEC AND SSL VPN SOLUTIONSCisco VPN 3000 Series Concentrators, Cisco PIX Security Appliances, Cisco ASA 5500 Series Adaptive Security Appliances,Cisco IOS VPN Security Routers, and Cisco Catalyst 6500 Series SwitchesVPNs allow organizations to securely connect remote offices and remote users using cost-effective, third-party Internet access rather than expensivededicated WAN links. By deploying VPNs over high-bandwidth transport such as DSL, Ethernet, and cable, organizations can easily reduce theirconnectivity costs while increasing remote connection bandwidth. VPNs are an alternative to the Frame Relay and leased-line WAN infrastructurestypically used to provide network connectivity for branch offices, home office intranets, and business partner extranets.Encrypted VPNs provide the highest possible levels of security through advanced encryption and authentication protocols that protect data fromunauthorized access. With encrypted VPNs, corporations are able to increase the capacity of data, users, and connections without significantlyadding to an existing infrastructure. Encrypted VPNs provide more flexibility and scalability than Frame Relay and leased-line connections byenabling corporations to take advantage of the easy-to-provision Internet infrastructure within ISPs and easily add new users. As a result,corporations are able to dramatically increase capacity without the need to significantly expand infrastructure.There are two types of encrypted VPNs: site-to-site and remote-access. Site-to-site encrypted VPNs provide the same benefits as private WANs—they help to ensure private communications from one trusted site to another, and provide multiprotocol support, high reliability, and extensivescalability. Site-to-site encrypted VPNs are cost-effective and secure, and allow for greater administrative flexibility than legacy private WANs.Remote-access VPNs are a flexible and cost-effective alternative to private dialup solutions; in fact, VPNs have become the logical solution forremote-access connectivity. Deploying a remote-access VPN helps reduce organizations’ communications expenses by using the local dialupinfrastructures of ISPs. Similarly, remote-access VPNs allow mobile workers, telecommuters, partners, and day extenders to take advantage ofbroadband connectivity.VPN SOLUTIONS TO MEET EVERY NEEDCisco Systems offers a wide range of VPN products, from VPN-optimized routers, firewalls, and dedicated VPN concentrators to hardwareand software-based VPN clients and Secure Sockets Layer (SSL)-based VPNs, resulting in a complete portfolio of VPN solutions able to meetthe requirements of any organization.The extensive portfolio of Cisco VPN solutions includes Cisco IOS VPN security routers, Cisco Catalyst 6500 Series switches, Cisco VPN 3000Series concentrators, Cisco PIX security appliances, and the new Cisco ASA 5500 Series of adaptive security appliances. These solutions aredesigned with mission-specific feature sets, and implement leading VPN technologies such as IP Security (IPSec) and SSL to allow customers todeploy the best technologies available based on their network environments and requirements.Site-to-Site VPNSite-to-site VPNs allow businesses to extend their network resources to branch offices, home offices, and business partner sites. All trafficsent between the sites is encrypted using IPSec, which provides network-layer encryption for sensitive data passing across the VPN tunnel.All contents are Copyright 1992–2005 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.Page 1 of 1

Remote-Access VPNIPSec VPN provides remote users with the most robust remote-access environments by extending almost any data, voice, or video applicationavailable in the office to remote working locations, helping to create a user experience that emulates working in the main office location.Cisco WebVPNCisco WebVPN provides SSL VPN-based remote-access connectivity from almost any Internet-enabled location using only a Web browser andits native SSL encryption, enabling companies to securely extend their enterprise networks to any authorized user by providing remote-accessconnectivity to corporate resources from any Internet-enabled location. SSL VPN enables access from non-corporate-owned machines such as homePCs, Internet kiosks, or wireless hotspots, where an IT department cannot easily deploy and manage the VPN client software necessary for IPSecVPN connections. The Cisco WebVPN solution delivers three levels of SSL VPN access: clientless, thin-client, and SSL tunneling client access,enabling the appropriate level of application access based on the end-system deployment environment requirements. SSL VPNs allow users to accessWebpages and Web-enabled services—including the ability to access files, send and receive e-mail, and run TCP-based applications—without theuse of IPSec VPN client software. SSL-based VPNs are an excellent fit for user populations that require per-application or per-server access control,or access from non-enterprise-owned desktops.SSL VPNs and IPSec VPNs are complementary technologies that can be deployed together to better address the unique access requirements ofdiverse user communities. Cisco has enhanced its widely deployed IPSec VPN products to deliver SSL-based VPN (clientless, Web browser-based)services as well, providing the benefits of both technologies on a single device.* This strategy eases deployment and management by using theexisting installed infrastructure, preserving customer investments in existing VPN equipment.In addition, the innovative Cisco Easy VPN capabilities found in Cisco VPN 3000 Series concentrators, Cisco PIX Security Appliances, Cisco ASA5500 Series appliances, and Cisco IOS routers deliver a uniquely scalable, cost-effective, and easy-to-manage remote-access VPN architecture.Built upon the foundation of dynamic policy distribution and effortless provisioning, Cisco Easy VPN eliminates the operational costs associatedwith maintaining remote-device configurations typically required by traditional VPN solutions. Easy VPN enables Cisco customers to enjoy themany benefits that VPNs provide—such as increased employee productivity as a result of high-speed broadband connectivity, and significantlyreduced operational costs that result from eliminating legacy dialup architecture expenses—without the problems commonly associated with otherremote-access VPN solutions.Cisco Easy VPN consists of two components: Easy VPN Server and Easy VPN Remote. Cisco Easy VPN Server allows Cisco IOS routers, CiscoPIX Security Appliances, Cisco ASA 5500 Series adaptive security appliances, and Cisco VPN 3000 Series concentrators to act as VPN head-enddevices in site-to-site or remote-access VPNs, where the remote office devices are using Cisco Easy VPN Remote. Using Cisco Easy VPN Remote,security policies defined at the head-end are pushed to the remote VPN device, helping to ensure that those connections have up-to-date policies inplace before connections are established. The Cisco Easy VPN Remote feature is supported by a wide range of platforms, including Cisco IOSrouters, Cisco PIX Security Appliances, Cisco adaptive security appliances, Cisco VPN 3002 hardware clients, and Cisco VPN software clients.Table 1 shows the Cisco product matrix and feature benefits for site-to-site and remote-access VPNs.*This capability is available at no additional cost for Cisco VPN 3000 Series concentrators with Release v4.7. 2005 Cisco Systems, Inc. All rights reserved.Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on 2 of 17

Table 1.Cisco Product Matrix and Feature Benefits for Site-to-Site and Remote-Access VPNSite-to-Site VPNIPSec Remote-Access VPNSSL Remote-Access VPNCisco PIX Security AppliancesYYNCisco VPN 3000 SeriesYMost feature-richMost feature-richCisco IOS Software orCisco Catalyst SwitchesMost feature-richYNCisco ASA 5500 SeriesYMost feature-richYCISCO VPN 3000 SERIES CONCENTRATORSThe Cisco VPN 3000 Series offers best-in-class remote-access VPN devices that provide businesses with unprecedented cost savings throughflexible, reliable, and high-performance remote-access solutions. The Cisco VPN 3000 Series is Cisco’s most feature-rich remote-access VPNplatform, offering solutions for the most diverse remote-access deployment scenarios. By offering both IPSec and SSL VPN connectivity on asingle platform—without the expense of individual feature licensing—customers can achieve significant cost savings while experiencing theindustry-leading advanced features required by today’s remote-access VPN deployments.To fully realize the benefits of high-performance, secure remote access, a robust, highly available VPN solution is needed. The Cisco VPN 3000Concentrator with version 4.7 software incorporates the most advanced, high-availability capabilities with a unique purpose-built, remote-accessarchitecture that enables corporations to build high-performance, scalable, and robust VPN infrastructures to support their mission-critical, remoteaccess application requirements.The Cisco VPN 3000 Concentrator Software with version 4.7 software delivers extensive application access with the SSL VPN client for WebVPN,best-in-market endpoint security and data integrity protection with the Cisco Secure Desktop, leading network infrastructure access with trulyclientless Citrix server support, and network compliance validation controls with IPSec-enabled Network Admission Control (NAC).Cisco VPN 3000 Series concentrators are ideal for organizations that require the most advanced and flexible remote-access VPN technology and thatprefer the operational simplicity and management segregation of a focused-function VPN device. Purpose-built for remote-access VPN, Cisco VPN3000 Series concentrators incorporate high availability, high performance, and scalability with the most diverse encryption and authenticationtechniques available today (Figure 1).Figure 1. Cisco VPN 3000 Series ConcentratorsTeleworkers/SOHOSmall BranchCisco VPN 3002Cisco VPN 3005Medium-Sized BranchEnterprise BranchEnterprise HeadquartersCisco VPN 3060Cisco VPN 3080Cisco VPN 3020Cisco VPN 3030Cisco VPN 3015Features of the Cisco VPN 3000 Series platform include: 2005 Cisco Systems, Inc. All rights reserved.Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on 3 of 17

Customized application access with Cisco WebVPN v4.7 delivering clientless, thin-client, and SSL tunneling client access methods. Thisenables deployment of the appropriate level of application access based on the end-system deployment environment, such as employees, extranets,and non-company-managed devices.– The SSL VPN Client for WebVPN is a lightweight, centrally configured, and easy-to-support SSL VPN software client which allows accessto virtually any application. The SSL VPN Client for WebVPN is compatible with any SSL-enabled browser, and is dynamically pushed tothe user in one of three methods—ActiveX, Java, or an .exe file.– Thin-client access with Cisco WebVPN v4.7 is achieved through a port forwarding mechanism enabled by a small Java applet download.Port forwarding relays data requested by the port on the local machine to the corresponding application port on the network side—grantingthe user access to more applications and network resources than a Web browser offers.– Clientless access with Cisco WebVPN allows users to connect to a corporate network with little requirements beyond a basic Web browser,and the ability to access Web servers or resources such as file shares and e-mail through Outlook Web Access 2003. The Cisco Secure Desktop is an industry-leading endpoint security solution offering advanced endpoint security and data theft prevention. Atsession initiation, the Cisco Secure Desktop performs a pre-connection security posture assessment, checking for the presence of antivirus softwareand personal firewall software, and ensures a keystroke logger is not running on the endpoint prior to the session initiation. During the session, allsession data is encrypted and written to a secure vault, or partition to the hard drive, and cannot be saved to the host system by the user, knowinglyor unknowingly. At the close of the session, the secure vault is eradicated using a U.S. Department of Defense (DoD) sanitization algorithm,erasing all session information, including cache files, history, cookies, file downloads, and passwords. Cisco VPN 3000 Concentrator Software v4.7 offers fully clientless Citrix support for terminal service environments, without the need for any SSLVPN client software. This increases application performance and reduces endpoint software compatibility issues, providing users with rapid andhighly stable system access regardless of browser or security settings. Cisco VPN 3000 Concentrator Software v4.7 is NAC-enabled for IPSec remote-access scenarios, allowing the concentrator to act as a NACenforcement point. This reduces the risk associated with extending network resources in remote-access scenarios by preventing vulnerable hostsfrom obtaining and retaining normal network access. Standards-based, easy-to-use VPN client with touchless Cisco Easy VPN configuration management and broad operating system support,including Windows, Mac, Linux, and Solaris. Integrated Web-based management system that enables corporations to easily install, configure, and monitor their remote-access VPNs. Integrated clustering and load-balancing capabilities that enable customers to scale their Cisco VPN 3000 Series deployments to tens of thousandsof users with low operational expense. Broad user authentication support, including single-use passwords, RADIUS, Active Directory, Security Dynamics’ SDI, digital certificates, andmany othersCisco VPN 3000 Series concentrators supports the widest range of connectivity options, including WebVPN, Cisco VPN Client, Cisco VPN 3002Hardware Client, Microsoft Layer 2 Tunneling Protocol (L2TP)/IPSec, and Microsoft Point-to-Point Tunneling Protocol (PPTP).The Cisco VPN 3000 Series offers both award-winning IPSec capabilities and clientless SSL VPN capabilities on a single platform. The combinationof Cisco WebVPN and IPSec VPN provides unparalleled deployment flexibility and ease of management for meeting the requirements of anyremote-access user population. Available applications include Webpage access, Windows (CIFS) file shares (via Web interface), e-mail (SimpleMail Transfer Protocol [SMTP], point of presence [POP], Internet Message Access Protocol [IMAP], MAPI/Exchange, Outlook Web Access, LotusNotes, and Lotus iNotes), and most TCP-based client-server applications. Cisco WebVPN supports load balancing, multidevice clustering for pay-asyou-go scalability and resiliency, user-group-based management, and all user authentication methods supported by the Cisco VPN 3000, includingsingle-use passwords, RADIUS, Active Directory, SDI, and digital certificates and many others. 2005 Cisco Systems, Inc. All rights reserved.Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on 4 of 17

Table 2 gives performance data for Cisco VPN 3000 Series concentrators.Table 2.*Cisco VPN 3000 Series Concentrator PerformanceCisco VPN 3000 SeriesConcentratorsSimultaneous IPSecRemote-Access Users*Maximum LAN-to-LANSessionsSimultaneous WebVPN(Clientless) Users**Encryption ThroughputCisco VPN 3002253***1–2.2 MbpsCisco VPN 3005200100504 MbpsCisco VPN 3015100100754 MbpsCisco VPN 302075025020050 MbpsCisco VPN 3030150050050050 MbpsCisco VPN 306050001000500100 MbpsCisco VPN 308010,0001000500100 MbpsAssumes maximum device memory and Enhanced Scalable Encryption Processing (SEP-E) modules (Cisco VPN 3020, 3030, 3060, and 3080 models). Forplanning purposes, a simultaneous IPSec user is considered to be a remote-access VPN user connected in all-tunneling mode; this includes one IKE securityassociation and two unidirectional IPSec security associations. Network sizing should take into consideration number of sessions, throughput per user, andaggregate throughput of the remote access environment when choosing the appropriate VPN 3000 Concentrator model.** Assumes maximum device memory and SEP-E modules (models 3020–3080). For planning purposes, a simultaneous WebVPN user is considered to be aclientless VPN user retrieving a Webpage at up to every 60 seconds. Users log in at the rate of one per second and pass data for the duration of the test. Theaverage retrieval time for the Webpage is less than or equal to five seconds.*** Refers to the number of devices on a single network behind the Cisco VPN 3002 Hardware Client.Cisco VPN 3000 Series concentrators can be managed using any standard Web browser (HTTP or Secure HTTP [HTTPS]), as well as by Telnet,Secure Shell Protocol (SSHv1), or a console port. Files can be accessed through HTTPS, FTP, and SSH Copy (SCP). The Cisco VPN 3000 Seriesprovides a user-friendly interface that simplifies configuration and monitoring by the enterprise and the service provider. This flexible user interfaceallows the configuration of access levels by user and groups, allowing thorough configuration and maintenance of security policies. For larger-scaledeployments, Cisco VPN 3000 Series concentrators are supported in several Cisco network management applications, including the Cisco IPSolution Center (ISC), Cisco VPN Monitor, CiscoWorks CiscoView, and tools available from Cisco AVVID (Architecture for Voice, Videoand Integrated Data) partners.CISCO ASA 5500 SERIES ADAPTIVE SECURITY APPLIANCESCisco ASA 5500 Series all-in-one adaptive security appliances deliver enterprise-class security and VPN to small and medium-sized businesses(SMBs) and large enterprise networks in a modular, purpose-built appliance (Figure 2). The Cisco ASA 5500 Series incorporates a wide range ofintegrated security services, including firewall, intrusion prevention system (IPS), and VPN in an easy-to-deploy, high-performance solution. Byintegrating VPN and security services, the Cisco ASA 5500 Series provides secure VPN connectivity and communications. Integrated AdaptiveThreat Defense capabilities protect the VPN deployment from becoming a conduit for network attacks such as worms, viruses, malware, or hacking.Detailed application and access control policy is applied to VPN traffic, so individuals and groups of users have access to the services and resourcesto which they are entitled.The Cisco ASA 5500 Series is Cisco’s most feature-rich solution for IPSec remote access, and also supports SSL VPN and IPSec site-to-siteconnectivity. Furthermore, the series provides higher scalability and increased throughput capabilities, relative to Cisco VPN 3000 Seriesconcentrators. Cisco ASA 5500 Series adaptive security appliances integrate easily into any Cisco VPN 3000 Series load-balancing cluster. 2005 Cisco Systems, Inc. All rights reserved.Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on 5 of 17

Figure 2. The Cisco ASA 5500 Series PortfolioCisco ASA 5510Cisco ASA 5520Cisco ASA 5540Small BranchMedium-Sized BranchEnterprise Branch or HeadquartersTable 3 summarizes the VPN performance of each adaptive security appliance.Table 3.Cisco ASA 5500 Series Appliance VPN PerformanceModelVPN BasicVPN PlusVPN Throughput (300/1400 Byte)Cisco ASA 551050 VPN peers150 VPN peers50/170 MbpsCisco ASA 5520300 VPN peers750 VPN peers100/225 MbpsCisco ASA 5540500 VPN peers2000 VPN peers200/325 Mbps5000 VPN peers with a VPNpremium licenseLicensing for the Cisco ASA 5500 Series licenses encompasses a large number of new features. There are three Cisco ASA licenses: Basic, VPNPlus, and VPN Premium. Feature licenses are available for additional security context support, failover active-active support, and GPRS TunnelingProtocol (GTP) support. Generally as you move upward in licensing class (Basic Plus Premium) the number of supported VPN peers increases(e.g. for the 5540 supported VPN peers changes from 500 to 2000 and finally 5000). Please see the product data sheet for more details.Remote Access—The Cisco ASA 5500 Series offers flexible technologies that deliver tailored solutions to suit connectivity requirements. It providesemployees with company-managed desktops robust, customizable remote access via an IPSec VPN. In situations where endpoints are not companymanaged, such as extranets, Internet kiosks, or employee-owned desktops, the Cisco ASA 5500 Series delivers WebVPN for SSL-based remoteaccess. Enterprises can take advantage of Cisco’s remote-access expertise to deploy a single integrated platform with broad support for coreenterprise applications. Flexible platform—Offers both IPSec and SSL VPN on a single platform, eliminating the need to provide parallel solutions. The inefficiency andadded cost of deploying separate, distinct platforms for both SSL and IPSec VPNs is eliminated. Resilient clustering—Allows remote-access deployments to scale cost-effectively by evenly distributing VPN sessions across all Cisco ASA 5500Series and VPN 3000 Series devices without requiring any user intervention. This highly resilient capability eliminates any single point of failureand helps to protect customer investments. Cisco Easy VPN—Delivers a uniquely scalable, cost-effective, and easy-to-manage remote-access VPN architecture. Cisco ASA 5500 Seriesappliances dynamically push the latest VPN security policies to remote VPN devices and clients, making sure those endpoint policies are up todate before a connection is established. This offers the ultimate flexibility, scalability, and ease of use. Automatic Cisco VPN Client updates—The Cisco ASA 5500 Series provides VPN client software “auto-update” capabilities that enableautomated version upgrades for Cisco VPN Client software operating on remote desktops. 2005 Cisco Systems, Inc. All rights reserved.Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on 6 of 17

Site-to-Site—Using the standards-based site-to-site VPN capabilities provided by the Cisco ASA 5500 Series, businesses can securely extend theirnetworks across low-cost Internet connections to business partners and remote and satellite offices worldwide. VPN infrastructure for today’s applications—The Cisco ASA 5500 Series provides a VPN infrastructure capable of converged voice, video, anddata across a secure IPSec network, by combining robust site-to-site VPN support with rich inspection capabilities, quality of service (QoS),routing, and stateful failover features, allowing businesses to take advantages of the many benefits that converged networks deliver. Robust security and performance—Branch and remote offices extend a company’s reach into different markets and locations. Cisco ASA 5500Series-based VPN solutions enable secure, high-speed communications between multiple locations, offering the performance, reliability, andavailability that businesses need to communicate.Cisco ASA 5500 Series adaptive security appliances are managed via the integrated Web-based Cisco Adaptive Security Device Manager (ASDM).Cisco ASDM manages all security and VPN functions of the appliances.CISCO PIX SECURITY APPLIANCESWorld-leading Cisco PIX Security Appliances provide robust, enterprise-class, integrated network security services, including stateful inspectionfirewalling, deep protocol and application inspection, IPSec VPN, multivector attack protection, and rich multimedia and voice security—in costeffective, easy-to-deploy solutions. Cisco PIX Security Appliances range from compact, “plug-and-play” desktop security appliances for small andhome offices to modular, carrier-class gigabit security appliances for the most demanding enterprise and service provider environments (Figure 3).Cisco PIX Security Appliances are ideal for those looking for the best-of-breed firewall combined with comprehensive VPN support. They are alsoan excellent option for organizations whose security policies recommends separate management of the security infrastructure, setting a cleardemarcation between security and network operation.Figure 3. Cisco PIX Security Appliance PortfolioTeleworker/SOHOSmall BranchMedium-Sized BranchEnterprise BranchEnterprise EdgeEnterprise HeadquartersData CenterCisco PIX 501Cisco PIX 506ECisco PIX 515ECisco PIX 525Cisco PIX 535The figure above provides general guidelines. Network environments should be scaled on application requirements, not solely on the sizeof the network.Built upon a hardened, purpose-built operating system designed for delivering rich security services, Cisco PIX Security Appliances provide thehighest levels of security. The appliances have earned numerous industry evaluations and certifications, including Common Criteria EvaluationAssurance Level (EAL) 4 status, as well as ICSA Labs Firewall and IPSec certifications.Cisco PIX Security Appliances provide market-leading protection for a wide range of voice-over-IP (VoIP) and multimedia standards, allowingbusinesses to securely take advantage of the many benefits that converged data, voice, and video networks deliver. By combining VPN with the richstateful inspection firewall services that Cisco PIX Security Appliances provide for these converged networking standards, businesses can securelyextend voice and multimedia services to home-office and remote-office environments for additional cost savings, improved productivity, andcompetitive advantage.Using the standards-based site-to-site VPN capabilities provided by Cisco PIX Security Appliances, businesses can securely extend their networksacross low-cost Internet connections to business partners and remote and satellite offices worldwide. Built upon the IKE and IPSec VPN standards,Cisco PIX Security Appliances encrypt data using 56-bit Data Encryption Standard (DES), 168-bit Triple DES (3DES), or up to 256-bit Advanced 2005 Cisco Systems, Inc. All rights reserved.Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on 7 of 17

Encryption Standard (AES). Cisco PIX Security Appliances can also participate in X.509-based Public Key Infrastructures (PKIs) and provide easy,automated certificate enrollment using the Simple Certificate Enrollment Protocol (SCEP)—another Internet standard that Cisco Systems helpedpioneer.Remote-access users can be authenticated against the internal user ID/password database on the Cisco PIX security appliance itself (which alsointegrates with Kerberos [Windows Active Directory], Lightweight Directory Access Protocol [LDAP], and RSA SecurID backend systems), orvia an external source using TACACS or RADIUS. Access to network resources can be strongly authenticated through the Cisco PIX securityappliance’s local user database or through integration with enterprise databases, either directly using TACACS /RADIUS or indirectly with CiscoSecure Access Control Server (ACS). Additionally, Cisco PIX Security Appliances support dynamic downloading and enforcement of access controllists (ACLs) on a per-user basis, upon user authentication with the device. Cisco PIX Security Appliances support a wide range of VPN clients, fromCisco VPN Client to the Microsoft embedded PPTP clients, L2TP VPN clients, and clients for mobile personal digital assistant (PDA) devices.Certain Cisco PIX models have integrated hardware VPN acceleration capabilities. The Cisco VPN Accelerator Card (VAC ) delivers up to 425Mbps of DES, 3DES, or AES IPSec encryption throughput. Well beyond full-duplex OC-3 line rates, the Cisco PIX security appliance with VAC provides excellent price and performance for small to very large enterprise-class site-to-site aggregation. Moreover, it supports up to 2000 encryptedtunnels for mixed VPN environments that have both site-to-site and remote-access VPN requirements. These performance features, along withupgradable encryption accelerators and LAN interfaces, make Cisco PIX Security Appliances some of the most scalable, upgradable, and costeffective central-site VPN and security solutions on the market. This high level of modularity provides unmatched investment protection. Individualcomponents of the solution can be upgraded as requirements grow, helping customers avoid costly upgrades of the entire chassis to enable newfeatures or performance levels.Table 4 summarizes the crypto performance of each Cisco PIX security appliance model (using 3DES and AES-128 with 1400-byte packets).Table 4.Cisco PIX Security Appliance IPSec PerformanceModelMaximum Site-to-Site andRemote User Tunnels3DES PerformanceAES-128 PerformanceCisco PIX 501103 Mbps4.5 MbpsCisco PIX 506E2515 Mbps30 MbpsCisco PIX 515E with VAC 2000130 Mbps130 MbpsCisco PIX 525 with VAC 2000145 Mbps135 MbpsCisco PIX 535 with VAC 2000425 Mbps495 MbpsCisco PIX Security Appliances provide up to 16 levels of customizable administrative roles so that enterprises can grant administrators andoperations personnel the appropriate level of access to each device (for example, monitoring-only, read-only access to the configuration, VPNconfiguration only, or firewall configuration only).Administrators can choose from products that meet their operational requirements for remotely configuring, monitoring, and troubleshooting CiscoPIX Security Appliances. Administrators can manage Cisco PIX Security Appliances using a convenient CLI through a variety of methods, includingTelnet, SSH, or out-of-band via a console port. Alternatively, Cisco ASDM, an easy to use, Web-based device configuration tool embedded withinthe appliances, lets users graphically set up, configure, and monitor their Cisco PIX Security Appliances without requiring extensive knowledge ofthe CLI. In addition, a wide range of informative, real-time, and

Cisco Easy VPN Server allows Cisco IOS routers, Cisco PIX Security Appliances, Cisco ASA 5500 Series adaptive security appliances, and Cisco VPN 3000 Series concentrators to act as VPN head-end d