Cisco PIX or Cisco Firewall Software

Posted on 2003-03-28
Medium Priority
Last Modified: 2010-04-12
We are about to put a firewall into out network to replace an existing one.  We have a Cisco 2620 and are trying to decide whether to upgrade the 2620 with memory and the bios and put the Cisco Firewall package onto it or get a PIX 506.  

Does anyone have any suggestions for either?  Downsides/upsides?
Question by:atwist
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 79

Accepted Solution

lrmoore earned 200 total points
ID: 8229452
Personal preference, but the PIX was built ground up as a firewall, and does it very well. 2620 was designed as a router, and does it very well. Putting the firewall feature set on top of the router still does not get you the full capabilities of the PIX appliance.
How many users do you have? If more than 50, I would seriously consider the 515E Restricted.

Expert Comment

ID: 8232175
Here is  my  2cents worth.

Let the router do routing, and the firewall do firewalling and vpn stuff.

The pix 506 only has 10mb interfaces, and your 2620 will have 100mb interfaces.  Have you considered a  515, they
also more scalabe and can have hardware vpn acceleration cards installed, also you could go bigger and implement a dmz.

The 506 is a really good remote point builder but for your
central hub, it is limited.

I would recommend a 515 or a 535 if you have the budget, but if you can only afford the 506 it is better than nothing.


Author Comment

ID: 8234452
We have right at 50 users on our network at the moment.
LVL 79

Expert Comment

ID: 8234485
If your budget will permit, go with the 515. It is expandable to add a DMZ interface, is much more powerful than the 506, and you can add a failover firewall in the future if you need it. The 506 is a set configuration. You can take advantage of the VPN capabilities of the PIX also to set it up as a VPN termination for IPSEC and/or PPTP VPN connections.
Suggestion. To provide a more complete security package, be sure to enable logging to a syslog server for both the screening router, and the firewall.
Free syslog server: http://www.kiwisyslog.com

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question