Networks

You'll be offloading CPu processing from the PIX. VPN processing is very CPU intensive because every single packet has to encrypted using a mathematic algorithm. If you have a lot of VPN users it can make a difference. You'll need to check the CPU usage on your PIX to figure out if it will make a difference. If you have a lot of CPU idle time on your PIX, then maybe you don't need a concentrator. But if you expect a lot of new VPN users, then maybe you'll need it for future growth.

Thanks alot joematus.

vpn concentrator or aka vpn gateway is dedicated to perform vpn connections (encrypt/decrypt, key exchange ,etc), so it comes with vpn accelerator hardware that could support more vpn throughput (or more vpn tunnels) compare to your pix or any firewall with built-in vpn. If you have multiple vpn users, it is always best to have a vpn concentrator to do the job and let your firewall performs security alone, or your firewall would cause a bottleneck to your network.

The main limit with PIX is that, if you're building site-to-site VPNs, you can't have packets come in on, and then route back out of the same interface. (For site-to-site VPNs use concentrator or, more likely, IOS routers with IPSec featureset).
Although the statements made about about VPN encryption overhead is true, many PIX firewalls have (or can have added) a VPN hardware accelerator - this offloads the excryption/decryption process from the main CPU.

I'd recommend a PIX for a simple remote access VPN, with relatively few users logging into a central network - it's easy to tie the VPN connections in with your firewall rules. If you have an off-board concentrator this is more complicated (and costly).

Regards,
Paul