PIX 506e

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
Hello - We are considering this firewall to go behind our Cisco 1600
router which handles our T1. We have several public IPs which are
mapped to internal NATed addresses, as well as port maps. We basically
have a few webservers, an email server, allow ssh to one machine, ftp
to another, etc.

I have  a few questions before buying the 506e:

Can it do NAT?

Can it handle mapping/portmapping our public IPs to private ones,
assuming it can do NAT?

Can I configure this via a web interface, or must I use the CLI (and
commands) to do the above config; or can I generate the config via some
software program?

Can I have an additional router behind the firewall (which itself is
behind the Cisco 1600 router) and assign this new router one of my
public IPs, and that router does its own NAT and portmapping?

Does the fact that there are only two interfaces make any of this

Will it do DHCP?

The reason we are wanting a firewall (aside from being able to control
it ourself, and for the other benefits) is to see if we can gain better
insight into some network problems we are having (mainly spikes in
bandwidth, in and out, and it maxing it out), does the 506e have robust
logging, to help determine the source and destination addresses/ports
of  the problematic traffic?

Do the DDoS and flood thwarting capabilities work?

Would the lower-end 501 be capable of all this? I have heard it is a
bit slower in many respects, including VPN encryption/decryption.

Thanks for any info.,

Re: PIX 506e
Forgot to mention - size of network is about 50 users, about 100
devices with IP addresses, and a VOIP link to a remote location.

Re: PIX 506e
Quoted text here. Click to load it


If you are not planning to have a separate DMZ network (for example, for a
public server), Cisco PIX506 is good choice for you. Theoretically you can
use a PIX501 and you will not see a difference in the performance, but the
list price of unrestricted PIX501 is just about $400 less than the price of
PIX506. Here is a link to all features of PIX506:


Good luck,


Re: PIX 506e

CiscoHeadsetAdapter.com wrote:
Quoted text here. Click to load it
Quoted text here. Click to load it

Thanks for the info Mike. Can you clarify a little: When you say if we
are not planning a DMZ network for a public server, is this something
the 506 cannot do? Is a DMZ different than a vlan, can't this firewall
do those? Which firewall will do DMZs? Is the logging good enough to
see specific IPs source and destination, are the DDoS and flooding
controls adequate? You imply the 501 may be a better choice for us? I
usually like to go for a 'more than we need' approach, so what does the
506 do the 501 can't -is it VPN related?

Thanks again,

Re: PIX 506e
Quoted text here. Click to load it

To avoid future confusion, it is best to consistantly refer to
the "506e" rather than the "506". The "506" has the same capabilities
(so far) but it is slower with lower memory limits than the 506e.

Quoted text here. Click to load it

DMZ is -usually- done by seperate physical interface. You can
also do it by VLAN, if you have a WAN router than can do VLANs.
There is some additional risk in doing DMZ by VLAN, as there is
the possibility of "VLAN hopping attacks".

Quoted text here. Click to load it

In the PIX series, the 501 and 506 and 506E are fixed configuration
devices that cannot have additional physical interfaces, and all the
other PIX series can have them.

In the PIX 5xx series, the 501 and 510 cannot do VLANs, and the
506 and 506E need PIX 6.3(3) or later to do VLANs; the 515, 515E,
520, 525, and 535 need 6.3(1) or later.

Quoted text here. Click to load it

Yes, but there is no interactive method to really get a handle
on what traffic is going where *now*.

Quoted text here. Click to load it

There are no DDoS controls. There are DoS controls that apply
equally to Distributed and single-source attacks. You must, though,
be realistic: if you are being DDoS'd then your WAN pipe is probably
filling up and nothing you can do at your firewall is going to
be able to solve that.

Also be aware that the PIX is not really an IDS device. It has
some IDS capabilities, but if you have reason to expect that you
might be DDoS'd, then you should probably be running an IDS
(or IPS, Intrusion Prevention System) as well -- and you should
be considering the Cisco ASA 5500 series instead of the PIX.

Quoted text here. Click to load it

The 506/506e offers:
- larger memory
- larger DHCP pool (though same size as 501 Unrestricted)
- turbo ACL support
- manual configuration of SA (Security Assocations) -- not a feature
  that is used very much
- Two 802.1Q VLANs
- more VPN peers
- faster, faster encryption
- no limit on the number of inside hosts

The 501 has 3 possible licenses. The default allows only 10
simultaneous inside hosts to talk to the outside; the second
license is 50, the third is unrestricted.

Re: PIX 506e
Quoted text here. Click to load it

The standard warning I give here is that if you think you might
be asking questions configuring PIX here, then you had best learn
the CLI (possibly in addition to the GUI.) The answers here are
almost always in terms of the CLI. The people who answer questions
here generally don't have time to figure out and write down the
long sequence of menu items and drop-boxes that are needed in
the GUI to configure things that take only a few lines in the CLI.

Quoted text here. Click to load it

If that is your main purpose then just configure your 1600 to
SPAN or RSPAN the traffic off to a computer that is running a
network analysis program. PIX are not designed to be able to
correlate traffic spikes and particular traffic. You can do it
to some extent, but the PIX is designed for security not for
volume control.

Re: PIX 506e

Walter Roberson wrote:
Quoted text here. Click to load it

Walter, Thanks for those insights. For the record, I have ordered the
506e for $797.00 but can return it. The ASAs are much more $$$ correct?
We can't afford a lot more than the 506e.

When you say:

Quoted text here. Click to load it

can this computer be on a switch behind the 1600 with everything else,
or does it have to be before the switch (on a hub), or itself have two
interfaces,  the other connecting to the switch (where the lan lives)?

I have used the CLI and prefer it at times, but am not an expert. So
was hoping to be able to do the majority of configuration via a nice
dumb web interface. Though I wouldn't expect to ask or receive much
help using it.

Aside from doing NAT, and handling DHCP, host and portmapping our
public IPs to private/internal ones, and a possible VPN, what
functionality in the 506e is additional to the 1600 router (which can't
seem to determine or log specific address/interface info, accoridng to
our provider who controls it)? Is it just the logging?

We have 2 catalyst 2950 switches which sometimes provide clues to
traffic spikes, and themselves have port flooding controls... Was also
considering a proxy server to log traffic.

What sort of provision in the 506e would I make to assign a public IP
to a router behind the 506e, is it a simple thing to do?

I appreciate your help!,

Re: PIX 506e
You can always use PDM (PIX Device Manager).
It is a GUI that can replace the CLI.

Pedro Pereira

Site Timeline