The Cisco PIX 501 does not use ADSM at all. The Cisco PIX 515 uses ADSM only in software version 7.0 and later.
Software version 7.0 (which is quite different than 6.x) is supported on the 515 but not on the 501.
The detailed differences for the 6.x software stream are as follows. This is an extract of a table I created and pubished in the past in the main Cisco newsgroup, comp.dcom.sys.cisco Cisco PIX Model Comparisons
- 133 MHz AMD SC520 processor; bus is one 32-bit 33 MHz PCI
- 16 Mb of SDRAM; 8 Mb of flash
- no Turbo ACL
- 'configure factory-default' *is* available
- dhcp pool of 32 addresses for 10 user licenses
- dhcp pool of 128 addresses for 50 user licenses
- dhcp pool of 253 addresses for unlimited user licenses [according to 'configure factory-default ip-address netmask']
- dhcp pool of 256 addresses for unlimited user licences (requires netmask larger than /24) [according to 'dhcpd address']
- no manual configuration of SAs
- failover NOT supported; 'write standby' NOT supported
- no OSPF support
- number of 'local hosts' limited by purchased license
- no 'sysopt ipsec pl-compatible' -- no support for Private Link
- Easy VPN Remote supported
- "early versions" restricted to 256 Kb configuration file (not clear whether this is early hardware or early 6.x software) [according to 6.3 release notes]
- no support for VAC (VPN Accelerator Card)
- no support for VAC+ (VPN Accelerator Card+)
- 2 physical interfaces supported in all licenses. NO possibility of expansion.
- inside interface always shows up as 100000 Kbit full duplex in 'show interface' (6.3(1)) [according to PIX Command Reference]
- inside interface is a 4 port switch, with no way to address or configure or show information for the individual switch ports.
- no support for 802.1Q VLANs (logical interfaces)
- 515E has 433 MHz Intel Celeron processor; bus is one 32-bit 33 MHz PCI
- 515E has 32 or 64 Mb SDRAM; 16 Mb flash
- Turbo ACL support
- 'configure factory-default' NOT available
- dhcp pool of 256 addresses per interface (requires netmask larger than /24) [according to 'dhcpd address']
- manual configuration of SAs allowed
- failover okay with Unrestricted license; 'write standby' supported (note: 515E cannot be used with 515, both must be the same)
- OSPF support available
- Private Link supported via 'sysopt ipsec pl-compatible'
- Easy VPN Remote NOT supported
- 515: no support for VAC (or possibly just never sold with VAC)
- 515E: support for VAC. VAC included in Unrestricted and Failover models.
- support for VAC (VPN Accelerator Card)
- support for VAC+ (VPN Accelerator Card+)
- Restricted license: 3 physical interfaces, 3 802.1Q VLAN, 5 total Unrestricted: 6 physical interfaces, 6 802.1Q VLAN, 10 total [according to Configuration Guide and later version of PIX Command Reference]
- 4 to 8 802.1Q VLANs (logical interfaces) supported depending on license [according to earlier version of PIX Command Reference]
- 2000 VPN peers
- 515: up to 68000 simultaneous connections (4.4(1) - 6.0 timeframe) [125000 simultaneous connections according to Cisco's Noble Institute case- study; this might have been Unrestricted]
- 515: maximum 10 Mbps VPN throughput [according to 506E/515E Q&A; 6.1(2) timeframe, might have improved later]
Thanks for posting that. You give more useful information than Cisco's website. Some interesting limits on the DHCP stuff.
A coworkers was looking to size up small firewall/vpn devices for a small company that would need a mix of 10-20 offices and up to 50 workers. SOmeone recommended the PIX 501 because it was "easier to manage than other firewall/vpn products" (specifically Checkpoints), and "cheaper". I kinda scratched my head on that one cause I didn't think the first was true at all and I wonder about the second.
I found Checkpoints easier to manage by a long shot. And if you buy a Checkpoint appliance and avoid building a server-based firewall it elimiantes the worst part of the setup.
email@example.com (Walter Robers>>>Could anyone tell me whether the Cisco PIX 501 and 515 firewalls use the