[Last Call] Learn how to a build a cloud-first strategyRegister Now


need help selecting a PIX 515e

Posted on 2006-10-23
Medium Priority
Last Modified: 2010-04-11
I am looking at purchasing a PIX 515e.
I'm a little awash in the available options. Perhaps someone can help with some advice or informative links. I am looking at Cisco's website so i know what the abbreviations stand for but i'm not sure which ones i need.

I have a small business with a static ip, a DSL Netopia router, a SBS server and a standard 2003 server.
I need a firewall with VPN capability.
Also DMZ capability would be nice. Not sure if this is only available with DMZ option.
Not sure how licensing and Smartnet support works and if it is necessary.
I would like to host my own website, FTP, and mail server.

Thanks in advance.

Question by:ArkAdmin
  • 3
  • 2

Expert Comment

ID: 17790588
The environment you describe doesn't need more than a pix 506. It will save you some money, and  even though it only has an outside and inside interface you can still do dmz because it supports 2 vlans on the inside interface:
Off course it supports vpn as well and any everything you need for your above described setup.
Ebay has some great deals. I have 2 of those running for the past 2 yrs without any issues.

If you insist on the higher end 515.

You will require DMZ, because it will include an additional interface for that purpous. You don't require FO unless you want to have a active/failover setup, where you need to buy an additioanl failover pix firewall.  Same thing you don't require AA unless you want to have a active/active setup, requiring a second pix as well for load balancing and failover. You might want the UR unrestricted license, but you can probably do without.

Although a restricted PIX typically supports fewer concurrent connections through the firewall, it is not a problem in most cases because even the lower-end restricted PIX 515 will support 50,000 concurrent users.
A restricted PIX typically comes with about half of the RAM of an unrestricted PIX.

DES/3DES option. Depends what type of encryption you need. Most new PIXes are sold with DES encryption only and you can then submit a request to upgrade to 3DES free of charge upon signing their encryption license agreement. This can be done online at www.cisco.com


Author Comment

ID: 17791052
It looks like the 506 will work for me.

How is the 506E different?

How do I know if i need the unrestricted license?

Does the 506 require VPN client licenses? I am looking at a couple new/nearly new and/or refurbed 506's on ebay. Is there anything I need to watch out for regarding licensing, unlocking, etc?


Accepted Solution

instillmotion earned 2000 total points
ID: 17791345
In terms of standalone functionality, you will find the 506E can support pretty much all the same features that a 515 would support. It actually runs the same software, so software functionality is there.
However the 506 is limited to 2 interfaces, you cannot set it up in a failover scenario, the chassis is smaller, though rack mountable, the power supply outlet is less (heavy duty).
On a pix 501 0r 506 the license is always considered restricted however what you want to look for is the DES/3DES encryption:
"Software Licenses
3DES/AES and DES Encryption Licenses
The Cisco PIX 506E Security Appliance has two optional encryption licenses-one license (PIX-506-SW-3DES) enables 168-bit 3DES and up to 256-bit AES encryption, the other license (PIX-VPN-DES) enables 56-bit DES encryption. Both are available either at the time of ordering the Cisco PIX 506E Security Appliance, or can be obtained subsequently through Cisco.com. Note that an encryption license must be installed to activate encryption services which are required before using certain features including VPN and secure remote management."

I would go for the 3DES license as the encryption is a lot more secure than DES.

A good example of a 506 I would purchase is:

In terms of client license, by virtue of owning a pix you are entitled to use the client software to my knowledge.
However if you don't already have access to the software you will not be able to download it from the cisco website without a support contract.
However a quick search on google will find several locations where you can download the latest version: ie: http://www1.umn.edu/adcs/help/vpn/

Author Comment

ID: 17791454
thx for the 101 on 506e.
i also found the modified rack shelf for the 506 form factor.

Expert Comment

ID: 17791505
You're welcome, thx for the points.

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
LinkedIn blogging is great for networking, building up an audience, and expanding your influence as well. However, if you want to achieve these results, you need to work really hard to make your post worth liking and sharing. Here are 4 tips that ca…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question