Cisco PIX Firewall Family

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-1

Lesson 4

Cisco PIX Firewall Family


Objectives


Objectives

Upon completion of this lesson, you will be able to perform the following tasks:• Identify the PIX Firewall models.• Describe the key features of the PIX 501, 506E, 515E, 525,

and 535 Firewall.• Identify the PIX 501, 506E, 515E, 525, and 535 Firewall

controls, connectors, and LEDs.• Identify the PIX 501, 506E, 515E, 525, and 535 Firewall

interfaces.• Identify the PIX Firewall expansion cards.• Explain the PIX Firewall licensing options.


Objectives (Cont.)

• Describe the key features of the Firewall Services Module for the Cisco Catalyst 6500 Series Switch and the Cisco 7600 Series Internet Router.• Identify the switch and router slots in which the

Firewall Services Module can be installed.• Identify and describe LEDs that display the status of

the Firewall Services Module.


PIX Firewall Models


SMB

Pric

e

Functionality

Gigabit Ethernet

PIX Firewall Family

EnterpriseROBO

PIX Firewall 515E

PIX Firewall 525

PIX Firewall 535

SOHO

PIX Firewall 501

PIX Firewall 506E

SP


PIX Firewall 501

• Designed for small offices and teleworkers

• 7500 concurrent connections

• 60-Mbps clear text throughput

• 16-Mbps SDRAM

• Supports one 10/100BASE-T* Ethernet interface (outside) and a 4-port 10/100 switch (inside)

• VPN throughput

– 3-Mbps 3DES

– 4.5-Mbps 128-bit AES

• 10 simultaneous VPN peers*100BASE-T speed option is available in release 6.3.


PIX Firewall 501—Front Panel LEDs

VPN tunnel

Power

100 Mbps

Link/act


PIX Firewall 501—Back Panel

Security lock slot

Power connector

10/100BASE-T (RJ-45)

Console port (RJ-45)

4-port 10/100 switch (RJ-45)


PIX Firewall 506E

• Designed for small and remote offices

• 25,000 concurrent connections


• 32-MB RAM

• Supports two interfaces (10/100BASE-T)*

• VPN throughput

– 17-Mbps 3DES

– 30-Mbps 128-bit AES

• 25 simultaneous VPN peers

*100BASE-T speed option is available in release 6.3 for 506E only.


PIX Firewall 506E—Front Panel LEDs

Network LED

Active LED

Power LED


PIX Firewall 506E—Back Panel

LINKLED

Console port (RJ-45)

Power switch

ACT(ivity) LED

10/100BASE-T(RJ-45)

10/100BASE-T(RJ-45)

ACT(ivity) LED

LINKLED

USBport


PIX Firewall 515E

• Designed for small to medium businesses



• 32/64-MB RAM

• Supports six interfaces

• Supports failover

• VPN throughput

– 140-Mbps 3DES (VAC+)

– 140-Mbps 256-bit AES (VAC+)

• 2,000 IPSec tunnels


PIX Firewall 515E—Front Panel LEDs

Network LED

Power LED

Active failover firewall


PIX Firewall 515E—Back Panel

Expansion slots Fixed interfaces


PIX Firewall 515E—Fixed Interface Connectors

Failoverconnector

FDXLED

LINKLED

100 MbpsLED

FDXLED

Consoleport (RJ-45)

10/100BASE-TEthernet 1

(RJ-45)

Power switch

LINKLED

100 MbpsLED

10/100BASE-TXEthernet 0

(RJ-45)

LINK LED


PIX Firewall 515E—Expansion Slot Option Cards

VACVAC+4 FE - 66

Fast Ethernet VPN Accelerator

1FE

Expansion Slots


PIX Firewall 515E—FE Card Port Numbering

• PIX Firewall 515E option cards require the UR license.

Single-port

card

Quad-port

card


PIX Firewall 525

• Designed for enterprise



• 128/256-MB RAM

• Supports eight interfaces


• VPN throughput

• 155-Mbps 3DES (VAC+)

• 170-Mbps 256-bit AES (VAC+)




Power LED

Active LED


PIX Firewall 525 Back Panel

Expansion slotsFixed interfaces


PIX Firewall 525—Fixed Interface Connectors

100 MbpsLED

ACT(ivity) LED

ACT(ivity) LED

LINK LED

LINK LED

Failoverconnection

10/100BASE-TXEthernet 1

(RJ-45)

USBport Console

port (RJ-45)10/100BASE-TX

Ethernet 0(RJ-45)


PIX Firewall 525—Expansion and VAC Cards

VPNAccelerator

card

Gigabit Ethernet

card

Fast Ethernet

cards


PIX Firewall 535

• Designed for enterprise and service providers


• 1.7-Gbps clear text throughput

• 1-GHz Intel Pentium III processor

• 512/1000-MB RAM

• Maximum of 10 interfaces


• VPN throughput

– 440-Mbps 3DES (VAC+)

– 440-256-bit AES (VAC+)




Power ACT


Bus 1 Bus 0(64-bit/66-MHz)

Bus 2(32-bit/33-MHz)


Slots3 2 1 0

Slots8 7 6 5 4

ConsoleRJ-45

USB port

DB-15failover


PIX Firewall 535—Option Cards

VAC

VAC+

1GE1GE - 66 4 FE - 66

Gigabit Ethernet Fast Ethernet

VPN Accelerator

1FE

4 FE(EOS)



DB-15failover

Slot 8

Slot 7

Slot 6

Slot 5

Slot 4

Slot 3

Slot 2 Slot 1

Slot 0ConsoleRJ-45

USB port


PIX Firewall Licensing


License Types

• Unrestricted—Allows installation and use of the maximum number of interfaces and RAM supported by the platform

• Restricted—Limits the number of interfaces supported and the amount of RAM available within the system

• Failover—Places the PIX Firewall in a failover mode for use alongside another PIX Firewall with an unrestricted license

Applies to PIX Firewall 515/515E, 525, and 535


PIX Firewall 515E, 525, and 535—License Comparison Table

Maximum accounts for the requirement of two physical interfaces and maximum number of VLANs in any PIX Firewall.

Model 515E 525 535Restricted

Maximum physical 3 6 8Maximum VLANs 3 4 6Maximum 5 6 8RAM 32 128 512

UnrestrictedMaximum physical 6 8 10Maximum VLANs 8 10 22Maximum 10 12 24RAM 64 256 1,000


VPN Encryption License

• DES license —Provides 56-bit DES• 3DES/AES license–Provides 168-bit 3DES–Provides up to 256-bit AES

Applies to PIX Firewall Family


Firewall Services Module


FWSM

• Designed for high-end enterprise and service providers

• Runs in Cisco Catalyst 6500 Series switches and 7600 Series routers

• Based on PIX Firewall technology

• PIX Firewall 6.0 feature set (some 6.2)

• 1 million simultaneous connections

• Over 100,000 connections per second

• 5-Gbps throughput

• 1-GB DRAM

• Supports 100 VLANs



FWSM in the Catalyst 6500 Switch

Supervisor engine

Redundant supervisor engine

Switching modules

Fan assembly

Power supply 1

Power supply 2ESD ground strap

connector

FWSM


FWSM in the Cisco 7609 Internet Router

OSMs

Redundant supervisor engine

FWSM

Fan assembly

Power supply 1

Power supply 2

Switch FabricModule

Supervisor engine

Redundant Switch Fabric

Module

ESD ground strap connection

Slots 1-9(right to left)


Summary


Summary

• There are currently five PIX Firewall models in the 500 series: 501, 506E, 515E, 525, and 535.• The PIX Firewall models 501, 506E, 515E, 525, and

535 come equipped with Ethernet connections, console connections, and intuitive LEDs.• PIX Firewall models 515E, 525, and 535 support

failover.• Your PIX Firewall license determines the PIX

Firewall’s level of service in your network and the number of interfaces it supports.


Summary (Cont.)

• Restricted, unrestricted, and failover licenses are available for PIX Firewall models 515E, 525, and 535.• Based on PIX Firewall technology, the Firewall

Services Module for the Cisco Catalyst 6500 Switches and Cisco 7600 Series Internet Routers provides an alternative to the PIX Firewall appliance.• FWSM supports the PIX Firewall Software

Release 6.0 feature set as well as some of the 6.2 feature set.• FWSM delivers multigigabit throughput and 1

million concurrent connections.

Documents

Cisco PIX Firewall Family