I work for a small company of 15 people, three of which are remove using vpn to access internal boxes. I currently have a 506 that is old and not updated. I am considering buying a new pix mostly for the os image upgrade and the vpn clients.
I will soon have a full T-1 installed. Both the 501 and 506E are rated for through put more than can possibly come in through the T-1. Should I get a 501 or a 506E, or should I get a smartnet (which one) and not worry about upgrading the hardware?
You are entitled to free updates to the latest 6.3(5)114 or so (I'd have to look up the current build number; it's at least 112). There are known security problems in 6.3(3), 6.3(4), 6.3(5), and 6.3(5)112, and cisco makes free updates (within the same minor release) available when security problems are found. Search cisco's site for pix security 6.3(5) and you should find the link you need fairly easily. Find the right URL, recite it to your PIX vendor and they'll make the latest 6.3(5) available to you.
There is no PIX 7.x release available for the PIX 501, 506, or 506E, and there never will be, so there is no good in buying one of them expecting to get PIX 7. The PIX 501 and 506 and 506E are essentially at the end of their software development lifecycle, and buying a new one just to get the new software release would not be a good investment, especially since the release is free.
If you are wanting PIX 7, you would need to buy at least a
515 (used, from an authorized reseller), or a 515E (available new), or a 525 or 535: active software development is still ongoing for them, but it isn't clear for how much longer.
The current cisco firewall family that *is* being actively developed and will continue to be developed, is the cisco ASA 5500 series. They run the same PIX 7.2 OS but with some different features enabled. The 7.0 and 7.1 series for the ASA were unable to handle some PPTP and PPPoE features; several of those missing features became available with 7.2(1); if the ASA has not completely caught up then it is only a relatively narrow range of features that might still be lacking.
You'd probably be looking at somewhere around an ASA 5510; add the Advanced services license if you want VLANs. The cost would probably be fairly similar to that of a PIX 506E.
But if you do decide to head to the ASA, before deciding on a model, read the models comparison chart -carefully-. The 5505 is essentially the new PIX 501 equivilent, with very very few of the new features that differentiate the ASA from the PIX. The 5510 Basic is better, but still quite restricted. Useful VLANs you don't get until the 5501 Advanced I seem to recall. The 5520 is really the first full-featured ASA model, if you buy the additional modules (and associated licenses).
In summary: if you -were- to buy an ASA because you wanted the new PIX
7 features, then the 5505 would probably be very much the wrong model for you. The 5505 is for the people who could make do with a PIX 501 really but don't want to buy into a defunct hardware line.
Quite correct but even the small 5505 can handle three interfaces (using the "plus" license) and is much more flexible that the ancient PIX 501. It's good for desktop usage, in cases you can't bear a noisy fan.
Thanks for the comments and help. I purchased a Cisco ASA 5505 and this weekend moved it to production. Most of my users are getting in without issue, though there is one user that has a private vpn group that is not able to get connected. If he uses the public vpn group he can get in, but not on his private vpn group.
The problem must be something configured about the private vpn group that is different from the public group. Is there a way to diff the two groups to find the differences?
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.