cisco pix firewall and asa models

Cisco PIXs come in all sizesfrom small office/home office SOHO models to large enterprise or service provider models.. In general, you can classify the PIX or ASA products into three sol

Cisco PIX Firewall and ASA Models

To implement a Cisco PIX or ASA in a given network, you need only purchase the PIX

or ASA hardware and software from Cisco Cisco PIXs come in all sizesfrom small office/home office (SOHO) models to large enterprise or service provider models The trick is to know what size PIX or ASA is appropriate for your network In general, you can classify the PIX or ASA products into three solutions:

• SOHO solution

• Medium- to large-office solution

• Enterprise office and service provider solution

SOHO Solution

The PIX 501 is the model designed for the SOHO market and comes with a built-in four-port switch The PIX 501 is primarily intended for offices of fewer than 10 internal users (although it can be licensed for 10, 50, or unlimited users) and for use as the termination point for a single VPN connection, typically to a central office or a small number of remote clients The next model up is the PIX 506E, which is designed for the small

office/remote office market and comes with two Fast Ethernet ports The PIX 506E is primarily intended for offices of fewer than 100 internal users and for use as the

termination point of no more than 25 VPN connections (either remote users or remote office connections) Both the PIX 501 and 506E can only run PIX software in the 6.x code branch (latest version is 6.3(5) at the time of this writing)

Medium- to Large-Office Solution

The first model designed for medium-sized to large offices is the PIX 515E This model comes in a 1U form factor with two built-in Fast Ethernet ports and two PCI expansion slots that can accommodate additional Fast Ethernet ports or an optional VPN

acceleration card (VAC) (this is standard on unrestricted, failover [active/passive] and failover [active/active] models) The PIX 515E can be used simultaneously to terminate

up to 2000 VPN tunnels (either terminating connections from remote locations or remote users) The PIX 515E can also be configured to support active/active and active/passive failover and redundancy for high-availability requirements It is difficult to quantify users that a PIX 515E can support Instead, the performance of the PIX 515E (and larger

firewalls) is quantified in throughput and concurrent connections The PIX 515E supports

a cleartext throughput of 190 Mbps and 130,000 concurrent connections

The medium- to large-office market is also the market segment that the Cisco ASA is initially targeted at Both the ASA 5510 and the ASA 5510 Security Plus are effective

solutions The ASA 5510 Security Plus product is essentially a software upgrade that permits more users, network interfaces, and VLANs, and that introduces high availability

to the ASA 5510 The ASA 5510 supports three Fast Ethernet ports (five with the

Security Plus) The ASA 5510 supports a cleartext throughput of 300 Mbps and 50,000 concurrent connections; the ASA 5510 Security Plus increased the concurrent

connections to 130,000 (throughput remains the same)

Enterprise Office and Service Provider Solution

The next two models of the PIX firewall are designed specifically for large enterprises and service providers: the PIX 525 and 535 The 525 is produced in a 2U form factor and can accommodate up to ten Fast Ethernet or two Fast Ethernet and three Gigabit Ethernet interfaces The PIX 535 also comes in a 2U form factor and can accommodate 14 Fast Ethernet or 9 Gigabit Ethernet interfaces Both models provide all manner of

high-availability functionality such as zero-downtime upgrade and VPN stateful failover as well as all the features of previous PIX models The PIX 525 supports a cleartext

throughput of 330 Mbps and 280,000 concurrent connections The PIX 535 supports a cleartext throughput of 1.7 Gbps and 500,000 concurrent connections

For the ASA, the ASA 5520 and 5540 were designed with the enterprise and service provider market in mind Both build upon the basic features of the ASA 5510 and support

4 10/100/1000 and 1 10/100 interfaces The ASA 5520 and 5540 also support a greater number of VLANs and the use of security contexts (if licensed) The ASA 5520 supports

a cleartext throughput of 450 Mbps and 280,000 concurrent connections; the ASA 5540 supports a cleartext throughput of 650 Mbps and 400,000 concurrent connections

Note

Because of the fundamental similarities between the PIX and ASA in the context of firewall functionality, the remainder of this chapter uses the term PIX to refer to both PIX and ASA functionality and features for simplicities sake In cases where there is

something unique about the ASA, it will be called out individually