We help IT Professionals succeed at work.

need help selecting a PIX 515e

Medium Priority
394 Views
Last Modified: 2010-04-11
I am looking at purchasing a PIX 515e.
I'm a little awash in the available options. Perhaps someone can help with some advice or informative links. I am looking at Cisco's website so i know what the abbreviations stand for but i'm not sure which ones i need.

I have a small business with a static ip, a DSL Netopia router, a SBS server and a standard 2003 server.
I need a firewall with VPN capability.
Also DMZ capability would be nice. Not sure if this is only available with DMZ option.
Not sure how licensing and Smartnet support works and if it is necessary.
I would like to host my own website, FTP, and mail server.

Thanks in advance.

FO
FE
BUN
AA
R/UR
DMZ
DC
DES
Comment
Watch Question

Yves AccadNetwork Security Engineer
CERTIFIED EXPERT

Commented:
The environment you describe doesn't need more than a pix 506. It will save you some money, and  even though it only has an outside and inside interface you can still do dmz because it supports 2 vlans on the inside interface:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet09186a0080091b13.html
Off course it supports vpn as well and any everything you need for your above described setup.
Ebay has some great deals. I have 2 of those running for the past 2 yrs without any issues.

If you insist on the higher end 515.

You will require DMZ, because it will include an additional interface for that purpous. You don't require FO unless you want to have a active/failover setup, where you need to buy an additioanl failover pix firewall.  Same thing you don't require AA unless you want to have a active/active setup, requiring a second pix as well for load balancing and failover. You might want the UR unrestricted license, but you can probably do without.

Although a restricted PIX typically supports fewer concurrent connections through the firewall, it is not a problem in most cases because even the lower-end restricted PIX 515 will support 50,000 concurrent users.
A restricted PIX typically comes with about half of the RAM of an unrestricted PIX.

DES/3DES option. Depends what type of encryption you need. Most new PIXes are sold with DES encryption only and you can then submit a request to upgrade to 3DES free of charge upon signing their encryption license agreement. This can be done online at www.cisco.com





Author

Commented:
It looks like the 506 will work for me.

How is the 506E different?

How do I know if i need the unrestricted license?

Does the 506 require VPN client licenses? I am looking at a couple new/nearly new and/or refurbed 506's on ebay. Is there anything I need to watch out for regarding licensing, unlocking, etc?

Thanks.
Network Security Engineer
CERTIFIED EXPERT
Commented:
In terms of standalone functionality, you will find the 506E can support pretty much all the same features that a 515 would support. It actually runs the same software, so software functionality is there.
However the 506 is limited to 2 interfaces, you cannot set it up in a failover scenario, the chassis is smaller, though rack mountable, the power supply outlet is less (heavy duty).
On a pix 501 0r 506 the license is always considered restricted however what you want to look for is the DES/3DES encryption:
"Software Licenses
3DES/AES and DES Encryption Licenses
The Cisco PIX 506E Security Appliance has two optional encryption licenses-one license (PIX-506-SW-3DES) enables 168-bit 3DES and up to 256-bit AES encryption, the other license (PIX-VPN-DES) enables 56-bit DES encryption. Both are available either at the time of ordering the Cisco PIX 506E Security Appliance, or can be obtained subsequently through Cisco.com. Note that an encryption license must be installed to activate encryption services which are required before using certain features including VPN and secure remote management."

I would go for the 3DES license as the encryption is a lot more secure than DES.

A good example of a 506 I would purchase is:
http://cgi.ebay.com/Cisco-PIX-506-3DES-FIREWALL-64MB-UNLIMITED-6-3-5-501_W0QQitemZ130039564220QQihZ003QQcategoryZ64019QQssPageNameZWDVWQQrdZ1QQcmdZViewItem

In terms of client license, by virtue of owning a pix you are entitled to use the client software to my knowledge.
However if you don't already have access to the software you will not be able to download it from the cisco website without a support contract.
However a quick search on google will find several locations where you can download the latest version: ie: http://www1.umn.edu/adcs/help/vpn/

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
thx for the 101 on 506e.
i also found the modified rack shelf for the 506 form factor.
Yves AccadNetwork Security Engineer
CERTIFIED EXPERT

Commented:
You're welcome, thx for the points.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.