PIX Firewalls

PIX Hardware
Cisco offers different models of the PIX, each suitable for environments of differing sizes and needs, as summarized in Table 8.1.The Firewall Services Module (FWSM) 1.1 for the Catalyst 6500 series switches provides no physical interfaces. Instead, it provides support for up to 100 virtual local area network (VLAN) interfaces. For failover support, the FWSM has a dedicated logical interface.

 

Models
Five models are currently supported: the 501, the 506E, the 515E, the 525, and the 535. However, there are three models that may be deployed in enterprise environments: the 506, the 515, and the 520.Table 8.1 shows the vital characteristics of each of the models:

 

Table of PIX Model Characteristics

Model

End of Life?

Processor Type

Maximum Interfaces

Failover Support

Cleartext Throughput

VAC Available

3DES Throughput

RAM Memory

501

No

133 MHz

AMD SC520

2

No

8 Mbps

No

3 Mbps

16 MB

506

Yes

200 MHz Intel
Pentium MMX

2

No

8 Mbps

No

6 Mbps

32 MB

506E

No

300 MHz
Intel Celeron

2

No

20 Mbps

No

16 Mbps

32 MB

515

Yes

200 MHz Intel
Pentium

MMX

6**

Yes

170 Mbps

No

10 Mbps

64 MB**

515E

No

443 MHz
Intel Celeron

6**

Yes

188 Mbps

Yes

63 Mbps*

64 MB**

520

Yes

233 MHz Intel
Pentium MMX

6

Yes

170 Mbps

Yes

60 Mbps*

128 MB

525

No

600 MHz Intel
Pentium III

8

Yes

360 Mbps

Yes

70 Mbps*

128 MB

535

No

1 GHz Intel
Pentium III

10

Yes

1 Gbps

Yes

100 Mbps*

1 GB**

*Maximum 3DES throughput is achieved with the VAC; **maximum requires the unrestricted license.

 

PIX 501

The PIX 501 is the basic entry fixed configuration model. It has a four-port 10/100 Mbps switch for inside connectivity and a single 10 Mbps interface for connecting to an Internet upstream device (such as a cable modem or DSL router). It provides 3 Mbps throughput on a 3DES IPsec connection, which should exceed a SOHO user’s requirements.The base license is a 10-user license with DES IPsec; an optional license for a 50-user upgrade and/or 3DES VPN support is available.The PIX 501 is based on a 133 MHz AMD SC520 processor with 16MB of randomaccess memory (RAM) and 8MB of flash.

 

PIX 506

The PIX 506 is the basic remote fixed configuration office/branch office model. It provides two autonegotiate RJ45 10BaseT ports (inside and outside).The 506 supports 8 Mbps cleartext throughput, with 6 Mbps 3DES IPsec and can support hundreds of VPN users.The hardware is based on a 200 MHz Intel Pentium MMX, with 32MB of RAM and 8MB of flash.

 

PIX 506E

The PIX 506E replaced the PIX 506, and has the same chassis with a beefier central processing unit (CPU), a quieter fan, and a new power supply.The CPU is a 300 MHz Intel Celeron with 32MB RAM and 8MB flash. Cleartext throughput is 20 Mbps (wire speed) while 3DES throughput is 16 Mbps. Licensing on the 506E (and 506) is a single, unlimited-user license.The only extra license that might be needed is the 3DES license.

 

PIX 515

The PIX 515 supports small- to medium-sized businesses at wirespeed. It can handle up to 170 Mbps of cleartext throughput.The 1U rack-mount chassis is configurable with a slot for an additional single-port or four-port Fast Ethernet interface, allowing the inside, outside, and up to four additional DMZ networks. It has a 200 MHz Intel Pentium MMX with 32MB of RAM and 8MB of flash (the same as the 506E).The restricted license limits the number of interfaces to three and does not support high availability.The unrestricted license supports up to 64MB RAM, up to six interfaces, and failover.

 

PIX 515E

The PIX 515E replaced the 515 in May 2002, and has a 433 MHz Intel Celeron CPU. It can offload the arithmetic load of DES computation to a dedicated VPN accelerator card (VAC), which delivers up to 63 Mbps 3DES throughput and 2,000 IPsec tunnels.The restricted license is limited to three interfaces and no failover, whereas the unrestricted license supports up to 64MB memory, the VAC, failover, and up to six interfaces.

 

PIX 520

The PIX 520 has a PC-style rack-mount chassis that supports a wide mix of available media cards, including Token Ring and fiber.The 520 has a floppy drive and is on the 200 MHz Intel Pentium MMX, and supports up to 128MB of RAM.The 520 license is based on the number of users. PIXCONN- 128 allows 128 simultaneous users, with upgrades for 1024 users or unlimited users.

 

PIX 525

The PIX 525 replaced the PIX 520 in June 2001. It is designed for large enterprise or small service provider environments. While it has no floppy drive, the 525 supports single- or four-port 10/100 Fast Ethernet, 4/16 Token Ring, and dual-attached multimode Fiber Distributed Data Interface (FDDI) cards, as well as Gigabit Ethernet. Based on the 600 MHz Intel Pentium III, the 525 boasts 360 Mbps cleartext throughput and, with the accelerator card, 70 Mbps of 3DES IPsec tunnel traffic.The restricted license limits the PIX 525 to 128MB of RAM and six interfaces. The unrestricted bumps RAM to 256MB, allows up to eight interfaces, and supports failover. As before, 3DES licensing is separate, if desired.

 

PIX 535

The PIX 535 is the current top-of-the-line model, suitable for service provider environments. It can provide up to 1 Gbps cleartext throughput, 500K simultaneous connections, and 7,000 connection initialization/teardowns a second. A VAC provides 100 Mbps 3DES throughput, with up to 2,000 simultaneous security associations (VPN tunnels).The PIX 535 is based on a 1 GHz Intel Pentium III, with up to 1GB of RAM. It has a 16MB flash and 256K cache running at 1 GHz, as well as a dual 64-bit 66 MHz Peripheral Component Interconnect (PCI) system bus. Cards available are the one- or four-port 10/100 Ethernet network interface cards (NICs) or 1GB Ethernet multimode ”stick and click” fiber connectors.

 

Licensing

The three license categories are unrestricted, restricted, and failover. If you have a single PIX, you will want unrestricted or restricted licensing, depending on the number of interfaces you want to support. If you have two PIX appliances and want high availability (described previously), you will want one machine with an unrestricted license and another machine with a failover license.

 

Software Licensing and Upgrades

The PIX has customized licensing to enable or disable features to fit the administrator’s needs. Features differ depending on the activation key.The activation key allows the administrator to enable features without acquiring new software.The activation key is computed by Cisco using the feature matrix and serial number.The serial number is based on the flash, so if the flash is replaced, the activation key must be replaced.The activation key enables feature-specific information such as interfaces, high availability, and type of encryption.

 

The show version command can be used to get information about the activation key. It shows the code version, hardware information, and activation key information.The show activation-key can also be used.

 

Serial Number: 480090153 (0x1c9d9829)

 

Running Activation Key: 0x75fe7c49 0xc08b4082 0x08979930 0xe4b4c4b0

 

Licensed Features:

Failover: Enabled

VPN-DES: Enabled

VPN-3DES: Disabled

Maximum Interfaces: 6

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

Throughput: Unlimited

IKE peers: Unlimited