Any word on 50x PIX and 7.0?

In article , Brian Bergin wrote: :Has anyone seen any word other than :

501's and 506's will or wont' ever be supported?

All that document says is that 7.0 is supported on a particular set of devices. It says nothing about 7.0(2) or any later release.

:Kind of sucks to keep :paying SmartNet if you don't get any new software out of it. I'm content to :take my chances with a dead firewall and then move to another brand if Cisco :isn't going to support SOHO's who bought into their product line.

The 501 and 506E have not been EOS'd, the 501 is the newest Cisco firewall, and the 501 and 506E are (I gather) selling well. I have never observed Cisco to abandon a new and successful model line, particularily not one which is competitively placed in the fast-growing SOHO market.

I don't think the lack of support for the 501 and 506E should be read as anything more than some combination of:

a) technical/time difficulties in shrinking the first version of the major rewrite to fit into the restricted memory of the 501 and 506E; and

b) a bit of up-branding to take advantage to sell some higher end devices to early adopters who are willing to pay a premimum for the new features, with plans to introduce the features into the lower end devices as necessary to keep the existing market share.

It is -possible- that there might be an upgrade kit needed on the 501 to boost the memory to run the full features of 7.x. Plausibly a current-modem 501 or 506E would run something like "7.0(3) Lite". Or plausibly there could be an explicit memory configurator in the works, allowing the user to configure how much memory to allocate to particular features, with it perhaps being effectively impossible to turn on all the new features at once due to the restricted amount of memory available.

snipped-for-privacy@ibd.nrc-cnrc.gc.ca (Walter Roberson) wrote:

|In article , |Brian Bergin wrote: |:Has anyone seen any word other than |:

|:that 501's and 506's will or wont' ever be supported? | |All that document says is that 7.0 is supported on a particular set of devices. |It says nothing about 7.0(2) or any later release. | |:Kind of sucks to keep |:paying SmartNet if you don't get any new software out of it. I'm content to |:take my chances with a dead firewall and then move to another brand if Cisco |:isn't going to support SOHO's who bought into their product line. | |The 501 and 506E have not been EOS'd, the 501 is the newest Cisco |firewall, and the 501 and 506E are (I gather) selling well. I have |never observed Cisco to abandon a new and successful model line, |particularily not one which is competitively placed in the fast-growing |SOHO market. | |I don't think the lack of support for the 501 and 506E should be read |as anything more than some combination of: | |a) technical/time difficulties in shrinking the first version of the |major rewrite to fit into the restricted memory of the 501 and 506E; |and | |b) a bit of up-branding to take advantage to sell some higher end |devices to early adopters who are willing to pay a premimum for the |new features, with plans to introduce the features into the |lower end devices as necessary to keep the existing market share. | |It is -possible- that there might be an upgrade kit needed |on the 501 to boost the memory to run the full features of 7.x. |Plausibly a current-modem 501 or 506E would run something like |"7.0(3) Lite". Or plausibly there could be an explicit memory |configurator in the works, allowing the user to configure how much |memory to allocate to particular features, with it perhaps being |effectively impossible to turn on all the new features at once |due to the restricted amount of memory available.

I see your points and hope in the end you're right, but fear many may leave for NetScreen's or other brands feeling left out by the 7.0 marketing ploy. I for one am actively looking for a new vendor given the long lack of support for common protocols like ESMTP in the PIX. Too many other vendors like Juniper with their Netscreen brand have highly regarded firewalls at 1/2 the cost of a similar PIX and more features than 6.3.4 offer. It's awful had to sit it out when others are moving forward.

Thanks again for your input...

Thanks... Brian Bergin

I can be reached via e-mail at cisco_dot_news_at_comcept_dot_net.

Please post replies to the group so all may benefit.

NOTICE: Use of this information is contingent upon acceptance of Paragraph 17 of Terabyte's Terms and conditions located at

:I for :one am actively looking for a new vendor given the long lack of support for :common protocols like ESMTP in the PIX. Too many other vendors like Juniper :with their Netscreen brand have highly regarded firewalls at 1/2 the cost of a :similar PIX and more features than 6.3.4 offer.

Which Netscreen model would that be?

According to the juniper.net netscreen-5 comparison chart:

HSC: 5 internal IPs, 2 VPN tunnels, ?? mapped IPs, 1000 sessions,

50 Mbit/s cleartext, 10 Mbit/s 3DES from $US328 street (according to shopper.cnet.com)

5GT: 10 internal IPs, 10 VPN tunnels, 32 mapped IPs, 2000 sessions,

75 Mbit/s cleartext, 20 Mbit/s 3DES from $US412 street (according to shopper.cnet.com)

My accumulated notes have:

PIX 501: 10 internal IPs, 10 VPN tunnels, mapped IPs not limited, sessions not limited, 60 Mbit/s cleartext, 3 Mbit/s 3DES from $US337 (according to shopper.cnet.com)

The street price difference between the PIX 501 and Netscreen HSC is small enough to be negligable, less than the range of a typical corporate discount. The PIX 501 is, though, faster than the HSC, supports twice the number of internal users, 5 times as many tunnels, and unlimited sessions. Essentially the Netscreen HSC's is trying to compete at about the level of the Cisco VPN 3002 or Linksys BEFSX41.

The closet comparison to the PIX 501 would appear to be the Netscreeen 5GT, which is a bit faster (especially on 3DES), but has the 2000 session limit and the 32 mapped IP limit. And it isn't "half the cost" of the 501, it is 25% higher cost.

What does the difference in "sessions" mean in practice? I'm not sure -- but I just checked a PIX 501-50 (50 user license) that was last rebooted Thursday evening (with Friday and today (Monday) both being holidays for us and no regularily scheduled work on weekends.) It shows 1792 sessions peak over that non-busy time. A different 501-50 which was last rebooted a couple of months ago shows a peak of over 5000 sessions.

The PIX 501 has optional licenses for 50 users or unlimited users; the Netscreen 5GT has an optional license for unlimited users, and a different optional license to double the sessions -- up to 4000.

After that one starts getting into the Netscreen 25, which is probably best compared to the PIX 506E. But even the Netscreen 25 Baseline (stripped-down software) starts at $US1800 street, compared to $US800 for the PIX 506E.

If you want to get into a "how many physical interfaces" discussion, then you are talking about the PIX 515E,

525, or 535 -- all of which -are- supported in PIX 7.0.

The Netscreen series does appear to have some nice features, but down at the end of the market where the 501 and 506E live, I do not think you are going to find a Netscreen with comparible or better features for "half of the price" of the corresponding PIX.

All I see on Cisco right now about 7.0 is a single press-release. There's no docs, no release-notes, no downloads. I wouldn't make a decision right now based on a single press release, until at least the product is closer to shipping, and the release notes are up. Yes, I think they've let the PIX market stagnate a bit, but I see that across the board now too.

I don't see Juniper doing much updating with Netscreen right now either. Relase 5.1 was a yawner. I don't know if I'd say other vendors are all that much cheaper when you compare Apples to Apples for the devices, or brand name reputation.

Hi Brian,

PIX 501, 506, 506E support will come with a follow-on release.

A SMARTnet=AE Eligible Cisco Factory Refurbished unit may meet your pricing requirement.

List Prices are for informational purposes only:

Sincerely,

Brad Reese BradReese.Com=AE Cisco Repair Worldwide Toll Free: 877-549-2680 International: 828-277-7272 Website: