Pre-purchase Question about PIX 515E

Our company is currently looking for an VPN/Firewall device and I'm looking at PIX 515E.

Our requirements are:

The device acts as

- Company firewall, with 1X internal network and 1X DMZ zone

- Provide at least 5 cocurrent sessions of VPN Clients (MS XP based)

- Provide 2 sites to sites VPN connection, our office and 2 remote sites, low traffic

In our DMZ zone, we have 3+ web servers (10 out of 50 are SSL sites), DNS/FTP/Mail/SQL servers etc..

We also had 2 public subnets which go through the same ISP routers.

Would the 515E Restricted Bundle fits our needs? Well tight on budget also..

Any comments /suggestions are welcomed.

Dave

Reply to
dave
Loading thread data ...

Yes. Don't buy one. Get the ASA 5500. A 5510 would be comparable.

Reply to
delgrundy

too bad that it's out of our budget..

Yes means it will fit our needs?

Dave

Reply to
Cityexplorer

No problem for the 515E

Would those sessions terminate at the PIX (i.e., PIX is the VPN server), or are those "pass-through" sessions, clients passing through the PIX but terminating on an inside server (incoming requests) or outside server (outgoing requests) ?

The 515E can easily terminate 5 software clients, but if you start getting into pass-through then unless you can use some kind of encapsulation (e.g., NAT Traversal for IPSec) then you encounter difficulties. Both IPSec and PPTP use protocols that you cannot normally do Port Address Translation (PAT) on... because the protocols have no ports. If you are trying to do pass-through and you have at least 5 public IPs, you should be able to do the 5 concurrent sesssions (but you might need to do Policy NAT.)

No problem for the 515E.

I do not recall at the moment how Network Address Translation (NAT) interacts with SSL.

No problem with the 515E.

If your inside switch supports tagged 802.1Q VLANs, then the needs you identified can all be handled by a PIX 506E running

6.3(3) or later. You didn't talk much about performance requirements though.
Reply to
Walter Roberson

YES a 515E would be more than enough. I am using a 515E unrestricted for an enterprise grade company. It's performance is excellent. We currently have 10 site to site VPNS, 5 different networks, running through it. We use a VPN concentrator for VPN dial-up, but the PIX 515E can handle PPTP or Cisco VPN just fine.

-RWS

Walter Robers> > >Our company is currently looking for an VPN/Firewall device and I'm

Reply to
Evolution

Your sure

formatting link
Cisco PIX 515E Chassis including Restricted software and 3 Fast Ethernet Ports. £ 1,420.00

formatting link
ASA5510-BUN-K9 ASA 5510 Appliance w/ SW, 50 VPN Peers, 3 FE, 3DES/AES £ £1310.00

I know their uk prices but for similar products they are similar price. If their is no legacy reasons to go Pix I would go ASA

(And recently have bought one to )

Reply to
Peter Simons

Some poeple prefer the DMZ to be on its own interface rather than a shared.

Peter

Reply to
Peter Simons

Yes, it will more than fit your needs. It's an excellent box. It is the replacement for the Pix 500 series product line. It's also not going to be out of your budget. It lists for less than the ASA. The PIX-515E-UR-BUN has a MSRP of $6,995 as compared to the ASA5510-SEC-BUN-K9 which has a MSRP of $4,495. It's a good buy.

J
Reply to
J

The DMZ would be on its own interface -- it's own logical interface, with a distinct 802.1Q tag.

With the 506E, the DMZ could not be on its own -physical- interface.

At that point, you are into cost/risk analysis. Historically there have been ways to "vlan hop", to trick routers or switches to deliver packets sourced in one vlan over into a different vlan. There haven't been any recent issues about that (at least not on reputable equipment), so it becomes a matter of risk: what is the probability that someone will develop a -new- vlan hopping attack, and what is the probability that someone will be able to (and choose to) exploit that attack against your network; and is the probability of success over a given time interval worth the extra cost?

One can hypothesize all kinds of attacks -- one can hypothesize, for example, that someone will find a quick way to break strong sequence numbers and be able to launch large-scale forging attacks. Do you see many reports of people cross-analyzing different products to find completely different strong sequence number protections so that they can layer the protections several deep? Perhaps in some very high security locations, but the risk is currently considered too low for people to be putting in that kind of time and money.

Reply to
Walter Roberson

Thanks for your precious information. Price in Canada is about $3235CDN which is cheaper than the 515E.

Before I look into the details doc, what is the major advantage of ASA5500 over 515E?

Peter Sim> X-No-Archive: yes

Reply to
Cityexplorer

Cisco ASA 5500 Series Enterprise Editions Cisco ASA 5500 Series Firewall Edition for the Enterprise Cisco ASA 5500 Series Anti-X Edition for the Enterprise Cisco ASA 5500 Series IPS Edition for the Enterprise Cisco ASA 5500 Series VPN Edition for the Enterprise

Hmm ...so many version.. I need firewall/VPN peer/site to site VPN...

when I check their parts # ASA5510-BUN-K9 is available for both vpn and firewall edition..

Are they actually the same ?

Dave

Peter Sim> X-No-Archive: yes

Reply to
Cityexplorer

Hi Dave,

You may wish to investigate the Refurbished Cisco PIX Firewall Guide:

formatting link
As well as List Pricing and Availability of Refurbished Cisco PIX Firewalls:

formatting link
Sincerely,

Brad Reese BradReese.Com - Cisco Repair

formatting link
Hendersonville Road, Suite 17 Asheville, North Carolina USA 28803 USA & Canada: 877-549-2680 International: 828-277-7272 Fax: 775-254-3558 AIM: R2MGrant BradReese.Com - Cisco Technical Forums
formatting link

Reply to
www.BradReese.Com

The ASA product line is the replacement for the Pix 500 series product line. The replacement for the 506 and 501 was introduced a week or so ago (ASA 5505), as was the replacement for the 535 (ASA 5550). I would expect Cisco to announce the EoL/EoS for the remaining 500 series products in the next 6 months.

The ASAs have more encrypted and non-encrypted throughput. The ASA has feature cards that can do virus filtering, spam filtering, phising and other content filtering, IPS, and all sorts of other useful stuff.

Go through Cisco's website and compare the two products:

formatting link
The Pix 500 series isn't listed on the main page under Security anymore. You have to dig deeper to find any mention of them.

You could buy a Pix but it will cost you more and give you less. It would be comparable to buying that really nice quad-PIII server you've wanted for years for $10k when you could buy a quad-dual-core Xeon for a couple grand less. Go with the ASA.

J
Reply to
J

One thing to remember is the PIX won't route between VPN tunnels. That is, if remote-site-1 is connected to HQ and remote-site-2 is also connected to HQ, then the two remote sights can't reach each other. The same is true for VPN clients. They will access HQ fine but can't access the networks at either remote site or each other. The simple fix for the remote sites is to have a tunnel between them. As for the clients....well they don't usually need to reach the other clients and really should be connecting to the site they need to reach anyway.

Does the ASA 5500 series have this same "Feature"?

Reply to
RC

It will in 7.x (if so configured), which is the version PIX 515E are sold with now.

Reply to
Walter Roberson

Reasons Do not always have to be technicail they can be management Etc.

The firm may have a policy that the DMZ is on a separate interface. Could just be the MD's bee in the bonnet. It could be its a small organisation with the person resonsible not confident at setting up Vlans securly.

Peter

Reply to
Peter Simons

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.