pix 501 vs pix 506e?

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
I work for a small company of 15 people, three of which are
remove using vpn to access internal boxes. I currently have
a 506 that is old and not updated. I am considering buying
a new pix mostly for the os image upgrade and the vpn clients.

I will soon have a full T-1 installed. Both the 501 and 506E
are rated for through put more than can possibly come in through
the T-1. Should I get a 501 or a 506E, or should I get a smartnet
(which one) and not worry about upgrading the hardware?

My current pix is at 6.3(3).


Re: pix 501 vs pix 506e?
Quoted text here. Click to load it

You are entitled to free updates to the latest 6.3(5)114 or so
(I'd have to look up the current build number; it's at least 112).
There are known security problems in 6.3(3), 6.3(4), 6.3(5),
and 6.3(5)112, and cisco makes free updates (within the same minor
release) available when security problems are found. Search cisco's
site for  pix security 6.3(5)  and you should find the link you
need fairly easily. Find the right URL, recite it to your PIX vendor
and they'll make the latest 6.3(5) available to you.

There is no PIX 7.x release available for the PIX 501, 506,
or 506E, and there never will be, so there is no good in buying
one of them expecting to get PIX 7. The PIX 501 and 506 and 506E
are essentially at the end of their software development lifecycle,
and buying a new one just to get the new software release would not
be a good investment, especially since the release is free.

If you are wanting PIX 7, you would need to buy at least a
515 (used, from an authorized reseller), or a 515E (available new),
or a 525 or 535: active software development is still ongoing for
them, but it isn't clear for how much longer.

The current cisco firewall family that *is* being actively developed
and will continue to be developed, is the cisco ASA 5500 series.
They run the same PIX 7.2 OS but with some different features enabled.
The 7.0 and 7.1 series for the ASA were unable to handle some PPTP
and PPPoE features; several of those missing features became
available with 7.2(1); if the ASA has not completely caught up
then it is only a relatively narrow range of features that might
still be lacking.

You'd probably be looking at somewhere around an ASA 5510;
add the Advanced services license if you want VLANs. The cost
would probably be fairly similar to that of a PIX 506E.

But if you do decide to head to the ASA, before deciding on a model,
read the models comparison chart -carefully-. The 5505 is
essentially the new PIX 501 equivilent, with very very few of the
new features that differentiate the ASA from the PIX.
The 5510 Basic is better, but still quite restricted. Useful
VLANs you don't get until the 5501 Advanced I seem to recall.
The 5520 is really the first full-featured ASA model, if you
buy the additional modules (and associated licenses).

In summary: if you -were- to buy an ASA because you wanted the new PIX
7 features, then the 5505 would probably be very much the wrong model
for you. The 5505 is for the people who could make do with a PIX 501
really but don't want to buy into a defunct hardware line.

Re: pix 501 vs pix 506e?
Walter Roberson wrote:

  >But if you do decide to head to the ASA, before deciding on a model,
  >read the models comparison chart -carefully-. The 5505 is
  >essentially the new PIX 501 equivilent, with very very few of the

Quite correct but even the small 5505 can handle three interfaces (using
the "plus" license) and is much more flexible that the ancient PIX 501.
It's good for desktop usage, in cases you can't bear a noisy fan.

I'll get one soon :) ...



Re: pix 501 vs pix 506e?
Hi Mike,

You may wish to investigate Network World Magazine's

Adaptive Security Appliance key to Cisco turnaround success in
firewall market



Brad Reese on Cisco
Network World Magazine Cisco Subnet
http://www.networkworld.com/subnets/cisco /

Re: pix 501 vs pix 506e?
www.BradReese.Com wrote:
Quoted text here. Click to load it

Thanks for the comments and help. I purchased a Cisco ASA 5505 and this
weekend moved it to production. Most of my users are getting in without
issue, though there is one user that has a private vpn group that is
not able to get connected. If he uses the public vpn group he can get
in, but not on his private vpn group.

The problem must be something configured about the private vpn group
that is different from the public group. Is there a way to diff the
two groups to find the differences?


Site Timeline