1. Cisco PIX Firewall Family
Lesson 4
Cisco PIX Firewall Family

2. Objectives

3. Objectives
Upon completion of this lesson, you will be able to perform the following tasks:
Identify the PIX Firewall models.
Describe the key features of the PIX 501, 506E, 515E, 525, and 535 Firewall.
Identify the PIX 501, 506E, 515E, 525, and 535 Firewall controls, connectors, and LEDs.
Identify the PIX 501, 506E, 515E, 525, and 535 Firewall interfaces.
Identify the PIX Firewall expansion cards.
Explain the PIX Firewall licensing options.

4. Objectives (Cont.)
Describe the key features of the Firewall Services Module for the Cisco Catalyst 6500 Series Switch and the Cisco 7600 Series Internet Router.
Identify the switch and router slots in which the Firewall Services Module can be installed.
Identify and describe LEDs that display the status of the Firewall Services Module.

5. PIX Firewall Models

6. PIX Firewall Family Price Functionality Gigabit Ethernet SOHO ROBO SMB
Cisco’s family of PIX Firewalls delivers excellent price-performance in stackable and rackable form factors for wiring closet. Included in the family are inexpensive standalone firewalls and modular, flexible chassis systems that offer extensive scalability, reliability, and value-added features that address multiple aspects of network security.
PIX Firewall 535
Price
PIX Firewall 525
PIX Firewall 515E
PIX Firewall 506E
Gigabit Ethernet
PIX Firewall 501
SOHO
ROBO
SMB
Enterprise SP
Functionality

7. PIX Firewall 501 Designed for small offices and teleworkers
7500 concurrent connections
60-Mbps clear text throughput
16-Mbps SDRAM
Supports one 10/100BASE-T* Ethernet interface (outside) and a 4-port 10/100 switch (inside)
VPN throughput
3-Mbps 3DES
4.5-Mbps 128-bit AES
10 simultaneous VPN peers
*100BASE-T speed option is available in release 6.3.

8. PIX Firewall 501—Front Panel LEDs
Power
Link/act
100 Mbps
VPN tunnel

9. PIX Firewall 501—Back Panel
4-port 10/100 switch (RJ-45)
Console port (RJ-45)
Security lock slot
10/100BASE-T (RJ-45)
Power connector

10. PIX Firewall 506E Designed for small and remote offices
25,000 concurrent connections
100-Mbps clear text throughput
32-MB RAM
Supports two interfaces (10/100BASE-T)*
VPN throughput
17-Mbps 3DES
30-Mbps 128-bit AES
25 simultaneous VPN peers
*100BASE-T speed option is available in release 6.3 for 506E only.

11. PIX Firewall 506E—Front Panel LEDs
Network LED
Power LED
Active LED

12. PIX Firewall 506E—Back Panel
ACT(ivity)
LED
ACT(ivity)
LED
LINK
LED
LINK
LED
Power switch
10/100BASE-T
(RJ-45)
10/100BASE-T
(RJ-45)
USB
port
Console
port (RJ-45)

13. PIX Firewall 515E Designed for small to medium businesses
130,000 concurrent connections
188-Mbps clear text throughput
32/64-MB RAM
Supports six interfaces
Supports failover
VPN throughput
140-Mbps 3DES (VAC+)
140-Mbps 256-bit AES (VAC+)
2,000 IPSec tunnels

14. PIX Firewall 515E—Front Panel LEDs
Network LED
Power LED
Active failover firewall

15. PIX Firewall 515E—Back Panel
Expansion slots
Fixed interfaces

16. PIX Firewall 515E—Fixed Interface Connectors
100 Mbps LED
100 Mbps LED
Failover connector
LINK LED
LINK
LED
FDX LED
LINK LED
FDX LED
Use the following notes, restrictions, and instructions for configuring inside and outside network ports:
Any change to an interface can potentially affect many of the PIX Firewall commands. If you change an interface IP address or the security level, use the clear xlate command to purge connection data.
For the PIX 515 and PIX 525, you do not have to use ETHERNET 0 for the outside network port and ETHERNET 1 for the inside network port. Any of the fixed or expansion ports can be configured to be the inside or outside network ports.
The outside network port must still be set to security level 0 (zero) and the inside network port must still be set to security level 100.
This revision does not change the rules for port numbering. Refer to the Installation Guide for the Cisco PIX Firewall Version 5.2 for a description of how ports are numbered for the different PIX Firewall models.
For backward compatibility, the default configuration will still show Ethernet port 0 as the outside port and Ethernet port 1 as the inside port. Use the nameif command to identify which port (using unique port names) that you want to configure as the inside and outside ports.
10/100BASE-T Ethernet 1 (RJ-45)
10/100BASE-TX Ethernet 0 (RJ-45)
Console port (RJ-45)
Power switch

17. PIX Firewall 515E—Expansion Slot Option Cards
Expansion Slots
Fast Ethernet
VPN Accelerator
1FE
VAC
4 FE - 66
VAC+

18. PIX Firewall 515E—FE Card Port Numbering
Single-port
card
Quad-port
card
PIX Firewall 515E option cards require the UR license.

19. PIX Firewall 525 Designed for enterprise
280,000 concurrent connections
330-Mbps clear text throughput
128/256-MB RAM
Supports eight interfaces
Supports failover
VPN throughput
155-Mbps 3DES (VAC+)
170-Mbps 256-bit AES (VAC+)
2,000 IPSec tunnels

20. PIX Firewall 525—Front Panel LEDs
Use the following notes, restrictions, and instructions for configuring inside and outside network ports:
Any change to an interface can potentially affect many of the PIX Firewall commands. If you change an interface IP address or the security level, use the clear xlate command to purge connection data.
For the PIX 515 and PIX 525, you do not have to use ETHERNET 0 for the outside network port and ETHERNET 1 for the inside network port. Any of the fixed or expansion ports can be configured to be the inside or outside network ports.
The outside network port must still be set to security level 0 (zero) and the inside network port must still be set to security level 100.
This revision does not change the rules for port numbering. Refer to the Installation Guide for the Cisco PIX Firewall Version 5.2 for a description of how ports are numbered for the different PIX Firewall models.
For backward compatibility, the default configuration will still show Ethernet port 0 as the outside port and Ethernet port 1 as the inside port. Use the nameif command to identify which port (using unique port names) that you want to configure as the inside and outside ports.
Power LED
Active LED

21. PIX Firewall 525 Back Panel
Expansion slots
Fixed interfaces

22. PIX Firewall 525—Fixed Interface Connectors
ACT(ivity) LED
ACT(ivity) LED
100 Mbps
LED
Failover
connection
LINK
LED
LINK
LED
10/100BASE-TX
Ethernet 1
(RJ-45)
USB
port
10/100BASE-TX
Ethernet 0
(RJ-45)
Console
port (RJ-45)

23. PIX Firewall 525—Expansion and VAC Cards
VPN
Accelerator
card
Gigabit
Ethernet
card
Fast
Ethernet
cards

24. PIX Firewall 535 Designed for enterprise and service providers
500,000 concurrent connections
1.7-Gbps clear text throughput
1-GHz Intel Pentium III processor
512/1000-MB RAM
Maximum of 10 interfaces
Supports failover
VPN throughput
440-Mbps 3DES (VAC+)
bit AES (VAC+)
2,000 IPSec tunnels

25. PIX Firewall 535—Front Panel LEDs
Power
ACT

26. PIX Firewall 535—Back Panel
DB-15
failover
Slots
Slots
The slots and buses are configured as follows:
Slots 0 and 1—64-bit/66 MHz Bus 0
Slots 2 and 3—64-bit/66 MHz Bus 1
Slots 4 to 8—32-bit/33 MHz Bus 2
For optimum performance and throughput for the interface circuit boards, you must use the following guidelines:
PIX-1GE-66 (66 MHz) circuit boards can be installed in any slot, but should be installed in the 64-bit/66 MHz Bus first. Up to eight PIX-1 GE-66 circuit boards can be installed.
The FE circuit board (33 MHz) can be installed in any bus or slot (32-bit/33 MHz or 64-bit/66 MHz).
The four-port FE circuit board should only be installed in the 32-bit/33 MHz Bus.
Do not mix the 33 MHz circuit boards with the 66 MHz GE circuit boards on the same
64-bit/66 MHz bus (Bus 0 or Bus 1). The overall speed of the bus will be reduced by the lower speed circuit board.
The VPN Accelerator should only be installed in the 32-bit/33 MHz Bus.
Bus 2
(32-bit/33-MHz)
Bus Bus 0
(64-bit/66-MHz)
Console
RJ-45
USB
port

27. PIX Firewall 535—Option Cards
Gigabit Ethernet
Fast Ethernet
1GE
1FE
1GE - 66
4 FE - 66
VPN Accelerator
4 FE
(EOS)
VAC
VAC+

28. PIX Firewall 535—Back Panel
DB-15
failover
Use the following notes, restrictions, and instructions for configuring inside and outside network ports:
Any change to an interface can potentially affect many of the PIX Firewall commands. If you change an interface IP address or the security level, use the clear xlate command to purge connection data.
For the PIX 515 and PIX 525, you do not have to use ETHERNET 0 for the outside network port and ETHERNET 1 for the inside network port. Any of the fixed or expansion ports can be configured to be the inside or outside network ports.
The outside network port must still be set to security level 0 (zero) and the inside network port must still be set to security level 100.
This revision does not change the rules for port numbering. Refer to the Installation Guide for the Cisco PIX Firewall Version 5.2 for a description of how ports are numbered for the different PIX Firewall models.
For backward compatibility, the default configuration will still show Ethernet port 0 as the outside port and Ethernet port 1 as the inside port. Use the nameif command to identify which port (using unique port names) that you want to configure as the inside and outside ports.
USB
port
Slot 8
Slot 6
Slot 4
Slot 2
Slot 1
Console
RJ-45
Slot 7
Slot 5
Slot 3
Slot 0

29. PIX Firewall Licensing

30. License Types
Unrestricted—Allows installation and use of the maximum number of interfaces and RAM supported by the platform
Restricted—Limits the number of interfaces supported and the amount of RAM available within the system
Failover—Places the PIX Firewall in a failover mode for use alongside another PIX Firewall with an unrestricted license
Applies to PIX Firewall 515/515E, 525, and 535

31. PIX Firewall 515E, 525, and 535—License Comparison Table
Model
515E
525
535
Restricted
Maximum physical 3 6 8
Maximum VLANs 4
Maximum 5
RAM 32
128
512
Unrestricted 10 22 12 24 64
256
1,000
Physical Port: like “ethernet0”, “ethernet1”, “fastethernet0”, etc.
Layer 3 Interface: an interface that has a name, IP address, security level, and can be used to apply security policies like ACL, NAT, AAA, etc. It includes Native Interface and VLAN (Logical) Interface. See definition below.
Native Interface: a kind of layer 3 interface. It’s the default layer 3 interface that PIX assigns to a hardware port. Take a out-of-box four-leg PIX as an example, there would be four native interfaces: “outside” on ethernet0, “inside” on ethernet1, “intf2” on ethernet2, “intf3” on ethernet3. Native interface exists by default, it can be modified, but cannot be deleted.
VLAN Interface: a kind of layer 3 interface. VLAN packets can be delivered to different layer 3 interfaces based on the their VLAN ID. Administrator can create and remove VLAN interfaces at runtime.
Logical Interface: this document will not use this term. However since it’s a popular term that is used elsewhere, it’s defined here to avoid confusions. Logical interface is an interface that can be created or removed by an administrator. In EDCS , it’s used interchangeably with VLAN interface.
Following is the syntax of VLAN related commands:
[no] vlan add <vlan_id> <hardware_id>
[no] vlan assign <vlan_id> <hardware_id>
[no] vlan shutdown <vlan_id>
nameif {<hardware_id>|vlan<vlan_id>} <interface name> security<level>
Use “[no] vlan add” command to create or remove a VLAN interface. A given VLAN can be defined on one and only one physical port. Once a VLAN is defined, attempts to configure the same VLAN on another physical interface will fail.
Usually untagged packets are delivered to native interface. However, you can assign a VLAN ID to the native interface using the “vlan assign” command shown above. It is used to tag failover messages without the need to introduce a VLAN or logical interface. Once configured, untagged packets will be dropped.
Maximum accounts for the requirement of two physical interfaces and maximum number of VLANs in any PIX Firewall.

32. VPN Encryption License
DES license —Provides 56-bit DES
3DES/AES license
Provides 168-bit 3DES
Provides up to 256-bit AES
Applies to PIX Firewall Family

33. Firewall Services Module

34. FWSM Designed for high-end enterprise and service providers
Runs in Cisco Catalyst 6500 Series switches and 7600 Series routers
Based on PIX Firewall technology
PIX Firewall 6.0 feature set (some 6.2)
1 million simultaneous connections
Over 100,000 connections per second
5-Gbps throughput
1-GB DRAM
Supports 100 VLANs
Supports failover

35. FWSM in the Catalyst 6500 Switch
Supervisor engine
Redundant supervisor engine
Switching modules
Fan assembly
FWSM
Power
supply 1
Power
supply 2
ESD ground strap connector

36. FWSM in the Cisco 7609 Internet Router
OSMs
Supervisor engine
Fan assembly
Redundant supervisor engine
Switch Fabric
Module
FWSM
Redundant Switch Fabric
Module
Slots 1-9
(right to left)
Power
supply 1
Power
supply 2
ESD ground strap connection

37. Summary

38. Summary
There are currently five PIX Firewall models in the 500 series: 501, 506E, 515E, 525, and 535.
The PIX Firewall models 501, 506E, 515E, 525, and 535 come equipped with Ethernet connections, console connections, and intuitive LEDs.
PIX Firewall models 515E, 525, and 535 support failover.
Your PIX Firewall license determines the PIX Firewall’s level of service in your network and the number of interfaces it supports.

39. Summary (Cont.)
Restricted, unrestricted, and failover licenses are available for PIX Firewall models 515E, 525, and 535.
Based on PIX Firewall technology, the Firewall Services Module for the Cisco Catalyst 6500 Switches and Cisco 7600 Series Internet Routers provides an alternative to the PIX Firewall appliance.
FWSM supports the PIX Firewall Software Release 6.0 feature set as well as some of the 6.2 feature set.
FWSM delivers multigigabit throughput and 1 million concurrent connections.