Which Cisco Firewall and/or Router

I have a client who is replacing their DSL with a multi T1 connection and we want to upgrade from the somewhat unreliable linksy/dlink/netgear type router/firewall to something we can depend on.  They have about 70 internal users and 25 external users (some OWA and some Terminal Server), but will probably double this in the next 2 years.

They are receiving a dual T1 connection with a few VOIP phone lines.  The telco vendor is providing a Cisco 2600 series router, but we do not have access to the configuration, basically they are providing us with 5 static public IPs off of the 2600 and it is up to use to bring it into out network.

I want to take the Public IPs from the telco and port map them to machines on the local network including Exchange, http, https, ftp, sftp, RDP, and a few others.

From what I understand I don't really need a router, but I do need a firewall.  Will a Cisco PIX 506E of 515E do the job or will I need another 2600 series router?  What about the Cisco 801, is this a router/firewall combo that will meet my needs (the price is certainly right)?

Do the PIX firewalls allow what I guess would be NAT (not really routing right?) from the outside public IPs through the firewall to the inside private IPs?

Is the Cisco SmartNet warranty service worth the expense?

Thanks EE
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

My recommendation would be the PIX515E - Restricted license version. If the 506E is all you can afford, that would be my second choice.
Without the smartnet service you can't get updates to the OS, you can only get bug-fixed versions, not the "latest and greatest", but yes, either will do everything you want and tons more (like VPNs)..


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bluefingerAuthor Commented:

Would you consider this statement basically true?

"Do the PIX firewalls allow what I guess would be NAT (not really routing right?) from the outside public IPs through the firewall to the inside private IPs?"

Is your preference for the PIX515E based on expandability or upgradeablitliy?  

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

I have a 506E that I'm using for VPN connections, and to be honest, other than a VPN router, I don't like it all that much.  PDM Management utility has a long way to go in terms of usability, and a lot of times the PDM will contradict what you're trying to do if you enter CLI commands.  If you aren't doing anything complicated other than NAT/port forwarding, I'd go with something similar and much much cheaper.  The Netgear FVL328 comes to mind: http://www.netgear.com/products/details/FVL328.php  We have the 318, and it just works so much nicer than the PIX.  I'm sure the PIX works great in certain circumstances, but if your configuration varies AT ALL from the norm, things get complicated quickly.  The PIX was designed to be more of a firewall, with SPI and IDS rather than a router.
>"Do the PIX firewalls allow what I guess would be NAT (not really routing right?) from the outside public IPs through the firewall to the inside private IPs?"
Yes. Absolutely. Not all firewalls can allow you to use mulitple public IPs mapped to multiple internal IPs

I like the 515e for several reasons. Expandbility is #1. It comes in a 6 interface model that is ideal for creating multiple DMZ's, or a 3 interface model for just one DMZ (can expand to 6 later if you want), its form is a 19" rack mount, where the 506E sits on a shelf (about the size of a hefty hardback novel). The 506 only has 2 interfaces and you cannot expand any further. The 515E can be upgraded to add a second unit for seemless failover, the 506 cannot.

you can manke a good DMZ and cover it with  a "IDS" that can make ur thing work
then the point of PIX is fine that is really good so that u can make a shell for NAT
The provider's router should be able to do NAT for you, just tell them which of the public IPs they are providing will be in the pool and which will be statically configured on your network.  Put the change request in and you're done.  If they push back on that, you're getting very poor service.  
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.