PIX Hardware

The PIX has many different configuration models to ensure that the product will be suited to different environments. Obviously, the requirements of a SOHO user will be different from those of a service provider. Cisco has provided various classes with different price points to ensure optimum product placement.

Models

Five models are currently supported: the 501, the 506E, the 515E, the 525, and the 535. However, there are three models that you might see deployed in enterprise environments: the 506, the 515, and the 520. At a glance, Table 8.1 shows the vital characteristics of each of the models.

PIX 501

The 501 is the basic entry model for the PIX and has a fixed configuration. It has a four-port 10/100Mbps switch for inside connectivity and a single 10Mbps interface for connecting to the Internet upstream device (such as cable modem or DSL router). It will provide 3Mbps throughput on a 3DES IPsec connection, which should exceed a SOHO user's requirements. The base license is a 10-user license with DES IPsec; optional is a 50-user upgrade and/or 3DES VPN support.

The 501 is based on a 133MHz AMD SC520 processor with 16MB of RAM and 8MB of flash. There is a console port, a half-duplex RJ45 10BaseT port for the outside, and an integrated, autosensing, auto-MDIX 4 port RJ45 10/100 switch for the inside.

PIX 506

The 506 is the basic remote office/branch office device. Once again, the appliance is not hardware configurable, with one console port and two autonegotiate RJ45 10BaseT ports, one for inside and one for outside. Performance is greatly increased; the 506 supports 8Mbps clear-text throughput, with 6Mbps 3DES IPsec, which should permit supporting hundreds of branch office users in a VPN tunnel back to corporate.

The hardware is based on a 200MHz Intel Pentium MMX, with 32MB of RAM and 8MB of flash.

PIX 506E

The 506E product, an enhanced version of the 506, has replaced it on the product sheets. The chassis are similar, but the 506E has a beefier CPU, a quieter fan, and a new power supply. The CPU is the 300MHz Intel Celeron, while the RAM and flash are of the same capacity. Clear-text throughput has been increased to 20Mbps (wire speed), while 3DES throughput increased to 16Mbps. Licensing on the 506E (and 506) is easier than the 501; it is provided in a single, unlimited-user mode. The only extra license you might need is the 3DES license.

PIX 515

The next step up the scale is the PIX 515, intended for the enterprise core of small to medium-sized businesses. Again, this product has wirespeed performance, but this time the pipe is a bit fatter and carries the ability to handle up to 170Mbps of clear-text throughput.

The chassis is a 1U pizza box, intended for rack mounting. Probably the most important difference between the 506 and the 515 is that the chassis is configurable; it comes with a slot for an additional single-port or four-port Fast Ethernet interface, allowing the inside, outside, and up to four additional service networks. The base unit is based on the same 200MHz Intel Pentium MMX with 32MB of RAM and 8MB of flash as the 506E.

The licensing is flexible, so enterprises can purchase only what they need. The restricted license limits the number of interfaces to three and does not support high availability. The unrestricted license allows for an increase in RAM (from 32MB to 64MB) and up to six interfaces, together with failover capability.

PIX 515E

The 515E replaced the 515 in May 2002. It has a higher-performing 433MHz Intel Celeron, increasing base firewall performance. Another new option is the ability to offload the arithmetic load of DES computation from the OS to a dedicated VPN accelerator card (VAC), delivering up to 63Mbps 3DES throughput and 2,000 IPsec tunnels. Licensing is similar: the restricted license limits you to three interfaces and no failover, whereas the unrestricted license has the memory upgrade, the VAC, and up to six interfaces.

PIX 520

The PIX 520 is an odd bird. It was designed as the high-end PIX platform, with the PC-style rack-mount chassis and a wide mix of available media cards, including Token Ring and fiber. Like the earlier PIXs, the 520 comes with a DB9 console port and a diskette drive; it is based on the 200MHz Intel Pentium MMX but with 128MB of RAM. Also unusual is the licensing: Like the 501, the 520's license is based on the number of users. For an entry PIX, you would purchase PIX-CONN-128, which would allow 128 simultaneous users. There were license upgrades to 1024 users or unlimited users.

Having the diskette drive is especially convenient. Although it uses up real estate in the rack, it allows you to have a handy boot medium in case the network goes down or is otherwise inaccessible; TFTP servers are not required. It also allows you to readily reset the password (by booting the appropriate password-clearing binary) or restore to a known good condition. Of course, these features are now achieved through appropriate network management tools, such as CiscoWorks or the PIX Firewall Manager.

PIX 525

The PIX 525 replaced the PIX 520 in June 2001. It is designed for large enterprise or small service provider environments. The diskette drive is gone; however, the 525 still supports single- or four-port 10/100 Fast Ethernet, 4/16 Token Ring, and dual-attached multimode FDDI cards, but now also picks up Gigabit Ethernet. Performance tells the story here: Based on the 600MHz Intel Pentium III, the 525 boasts 360Mbps clear-text throughput and, with the accelerator card, 70Mbps of 3DES IPsec tunnel traffic.

Licensing is based on interface counts and failover, as with the earlier models. The restricted license limits the PIX 525 to 128MB of RAM and six interfaces. The unrestricted bumps RAM to 256MB, allows up to eight interfaces, and supports failover. As before, 3DES licensing is separate, if desired.

PIX 535

The PIX 535 is the top-of-the-line model, suitable for service provider environments. Performance is the key: up to 1Gbps clear-text throughput, half a million simultaneous connections, and 7000 connection initialization/teardowns per second. With the VAC, you can get 100Mbps 3DES throughput, with up to 2000 simultaneous security associations (VPN tunnels).

In terms of hardware, the PIX 535 is based on a 1GHz Intel Pentium III, with up to 1GB of RAM. It has a 16MB flash and 256K cache running at 1GHz, as well as a dual 64-bit 66MHz PCI system bus. Cards available are the one- or four-port 10/100 Ethernet NICs or 1GB Ethernet multimode "stick and click" fiber connectors.

The Console Port

The primary mechanism for talking to a PIX is via the console port. Some devices have the old DB9 connectors—nine-pin D-subminiature connectors similar to those found on the back of many PCs. The newer devices use the Cisco standard RJ45 connector, similar to those found on their routers and switches. In each case, an appropriate cable is provided with your equipment.

The communication is via null-modem and uses communications set to 8-N-1. If you are using Windows, a good program to communicate with a PIX is Hyperterm, which is provided with most Windows-based installations, under Accessories/Communications. When launching Hyperterm, configure your connection to direct-connect to COM 1, as shown in Figure 8.5.

Figure 8.5: Configuring Hyperterm

The communications parameters then need to be set, as shown in Figure 8.6.

Figure 8.6: Port Communication Properties for Hyperterm

At this point, you should be connected. Power on your PIX, and you will see the boot process taking place, as shown in Figure 8.7. Your output will differ slightly.

Figure 8.7: Sample Output from Boot Sequence

Figure 8.7 shows an older flash version, but they all are similar. If you do not see output or the output is garbled, it usually means your parameters are not set correctly. If you are not using the provided cable, make sure it is null-modem and that your parameters are set as shown in Figure 8.6.