Cisco PIX
Encyclopedia
Internet protocol suite
The Internet protocol suite is the set of communications protocols used for the Internet and other similar networks. It is commonly known as TCP/IP from its most important protocols: Transmission Control Protocol and Internet Protocol , which were the first networking protocols defined in this...
firewall and network address translation
Network address translation
In computer networking, network address translation is the process of modifying IP address information in IP packet headers while in transit across a traffic routing device....
(NAT) appliance
Computer appliance
A computer appliance is generally a separate and discrete hardware device with integrated software , specifically designed to provide a specific computing resource. These devices became known as "appliances" because of their similarity to home appliances, which are generally "closed and sealed" –...
. It was one of the first products in this market segment.
In 2005, Cisco introduced the newer Adaptive Security Appliance
Cisco ASA
In computer networking, Cisco ASA 5500 Series Adaptive Security Appliances, or simply Cisco ASA 5500 Series, is Cisco's line of network security devices introduced in 2005, that succeeded three existing lines of popular Cisco products:...
(ASA), that inherited much of PIX features, and in 2008 announced PIX end-of-sale.
The PIX technology is still sold in a blade, the FireWall Services Module
Cisco FWSM
Firewall Services Module is a firewall module integrated by Cisco into its Catalyst 6500 Switches and 7600 Series Routers.Installed inside a Cisco Catalyst 6500 Series Switch or Cisco 7600 Internet Router, the FWSM allows any VLAN on the switch to be passed through to the device to operate as a...
(FWSM), for the Cisco Catalyst 6500
Catalyst 6500
The Catalyst 6500 is a modular chassis network switch manufactured by Cisco Systems since 1999, capable of delivering speeds of up to "400 million packets per second"....
switch series and the 7600 Router series
Cisco 7600
The Cisco 7600 series is a series of large network routers designed and manufactured by Cisco Systems.-Key Features:* Chassis ranges: 3-slot , 4-slot , 6-slot , 9-slot and 13-slot ....
.
History
PIX was originally conceived in early 1994 by John Mayes of Redwood City, California and designed and coded by Brantley Coile of Athens, Georgia. The PIX name is derived from its creators' aim of creating the functional equivalent of an IP PBX to solve the then-emerging registered IP addressIP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
shortage. At a time when NAT was just being investigated as a viable approach, they wanted to conceal a block or blocks of IP addresses behind a single or multiple registered IP addresses, much as PBXs do for internal phone extensions. When they began, RFC 1597 and RFC 1631 were being discussed, but the now-familiar RFC 1918
Private network
In the Internet addressing architecture, a private network is a network that uses private IP address space, following the standards set by RFC 1918 and RFC 4193. These addresses are commonly used for home, office, and enterprise local area networks , when globally routable addresses are not...
had not yet been submitted.
The design, and testing were carried out in 1994 by John Mayes, Brantley Coile and Johnson Wu of Network Translation, Inc., with Brantley Coile being the sole software developer. Beta testing of PIX serial number 000000 was completed and first customer acceptance was on December 21, 1994 at KLA Instruments in San Jose, California. The PIX quickly became one of the leading enterprise firewall products and was awarded the Data Communications Magazine "Hot Product of the Year" award in January 1995.
After Cisco
Cisco
Cisco may refer to:Companies:*Cisco Systems, a computer networking company* Certis CISCO, corporatised entity of the former Commercial and Industrial Security Corporation in Singapore...
acquired Network Translation in November 1995, Mayes and Coile hired four long time associates: Jim Jordan, Tom Bohannon, and Richard Howes and Pete Tenereillo (both who worked for NTI prior to the acquisition). Together they continued development on Finesse OS and the original version of the Cisco PIX Firewall, now known as the PIX "Classic". During this time, the PIX shared most of its code with another Cisco product, the LocalDirector
Cisco LocalDirector
Cisco LocalDirector is a server load balancing appliance, discontinued in 2003, based on the Network Address Translation technology Cisco Systems acquired when they bought Network Translation, Inc. The LocalDirector was conceived by John Mayes in late 1996 during a post-acquisition meeting with...
.
End-of-Life
On January 28, 2008, Cisco announced the end-of-sale and end-of-life dates for all Cisco PIX Security Appliances, software, accessories, and licenses. The last day for purchasing Cisco PIX Security Appliance platforms and bundles was July 28, 2008. The last day to purchase accessories and licenses was January 27, 2009. Cisco will continue to support Cisco PIX Security Appliance customers through July 27, 2013.Adaptive Security Appliance (ASA)
In May 2005, Cisco introduced the Adaptive Security Appliance (ASA) which combines functionality from the PIX, VPN 3000 series and IPSIntrusion-prevention system
Intrusion Prevention Systems , also known as Intrusion Detection and Prevention Systems , are network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information...
product lines. The ASA series of devices run PIX code 7.0 and later. Through PIX OS release 7.x the PIX and the ASA use the same software images. Beginning with PIX OS version 8.x, the operating system code diverges, with the ASA using a Linux kernel and PIX continuing to use the traditional Finesse/PIX OS combination.
Description of operation
The PIX runs a custom-written proprietary operating systemOperating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
originally called Finese (Fast InterNEt Server Executive), but now the software is known simply as PIX OS. It is classified as a network layer firewall with stateful inspection
Stateful firewall
In computing, a stateful firewall is a firewall that keeps track of the state of network connections traveling across it. The firewall is programmed to distinguish legitimate packets for different types of connections...
, although technically the PIX would more precisely be called a Layer 4, or Transport Layer Firewall, as its access is not restricted to Network Layer routing, but socket based connections (a port and an IP Address - Port communications occur at Layer 4). By default it allows internal connections out (outbound traffic), and only allows inbound traffic that is a response to a valid request or is allowed by an Access Control List
Access control list
An access control list , with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject...
(ACL) or a conduit. The PIX can be configured to perform many functions including network address translation
Network address translation
In computer networking, network address translation is the process of modifying IP address information in IP packet headers while in transit across a traffic routing device....
(NAT) and port address translation (PAT), as well as being a virtual private network
Virtual private network
A virtual private network is a network that uses primarily public telecommunication infrastructure, such as the Internet, to provide remote offices or traveling users access to a central organizational network....
(VPN) endpoint appliance.
The PIX was the first commercially available firewall product to introduce protocol specific filtering with the introduction of the "fixup" command. The PIX "fixup" capability allows the Firewall to apply additional security policies to connections identified as using specific protocols. Two protocols for which specific fixup behaviors were developed are DNS and SMTP. The DNS fixup originally implemented a very simple but effective security policy; it allowed just one DNS response from a DNS server on the Internet (known as outside interface) for each DNS request from a client on the protected (known as inside) interface. "Fixup" has been superseded by "Inspect" on later versions of PIX OS.
The Cisco PIX was also one of the first commercially available security appliances to incorporate IPSec
IPsec
Internet Protocol Security is a protocol suite for securing Internet Protocol communications by authenticating and encrypting each IP packet of a communication session...
VPN gateway functionality.
The PIX can be managed by a command line interface (CLI) or a graphical user interface
Graphical user interface
In computing, a graphical user interface is a type of user interface that allows users to interact with electronic devices with images rather than text commands. GUIs can be used in computers, hand-held devices such as MP3 players, portable media players or gaming devices, household appliances and...
(GUI). The CLI is accessible from the serial console, telnet and SSH
Secure Shell
Secure Shell is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client...
. GUI administration was introduced with version 4.1, and it has been through several incarnations: PIX Firewall Manager (PFM) for PIX OS versions 4.x and 5.x, which runs locally on a Windows NT client; PIX Device Manager (PDM) for PIX OS version 6.x, which runs over https
Https
Hypertext Transfer Protocol Secure is a combination of the Hypertext Transfer Protocol with SSL/TLS protocol to provide encrypted communication and secure identification of a network web server...
and requires Java
Java (programming language)
Java is a programming language originally developed by James Gosling at Sun Microsystems and released in 1995 as a core component of Sun Microsystems' Java platform. The language derives much of its syntax from C and C++ but has a simpler object model and fewer low-level facilities...
; and Adaptive Security Device Manager (ASDM) for PIX OS version 7 and greater, which can run locally on a client or in reduced-functionality mode over HTTPS. Examples of emulators include PEMU and Dynagen http://www.dynagen.org, and with NetworkSims.com ProfSIMs (Networksims) for a simulator http://networksims.com.
As the PIX is an acquired product, the CLI was originally not aligned with the Cisco IOS
Cisco IOS
Cisco IOS is the software used on the vast majority of Cisco Systems routers and current Cisco network switches...
syntax. Starting with version 7.0, the configuration is much more IOS-like. As the PIX only supports IP traffic (as opposed to IPX
IPX
Internetwork Packet Exchange is the OSI-model Network layer protocol in the IPX/SPX protocol stack.The IPX/SPXM protocol stack is supported by Novell's NetWare network operating system. Because of Netware's popularity through the late 1980s into the mid 1990s, IPX became a popular internetworking...
, DECNet
DECnet
DECnet is a suite of network protocols created by Digital Equipment Corporation, originally released in 1975 in order to connect two PDP-11 minicomputers. It evolved into one of the first peer-to-peer network architectures, thus transforming DEC into a networking powerhouse in the 1980s...
, etc.), in most configuration commands 'ip' is omitted. The configuration is upwards compatible, but not downwards. When a 5.x or 6.x configuration is loaded on a 7.x platform, the configuration is automatically converted to 7.x formatting, as long as the configuration was using ACLs, versus conduits and "outbounds". This allows for an easy migration from PIX to ASA. PIX OS v7.0 is only supported on models 515, 515(E), 525 and 535. Although the 501 and 506E are relatively recent models, the flash memory
Flash memory
Flash memory is a non-volatile computer storage chip that can be electrically erased and reprogrammed. It was developed from EEPROM and must be erased in fairly large blocks before these can be rewritten with new data...
size of only 8 MB prevents official upgrading to version 7.x, although 7.0 can be installed on a 506E using monitor mode up to version 7.1(2). The 8 MB flash size only allows for installation of the PIX OS software, not the ASDM software (GUI). For the PIX 515(E) to run version >7.0, a doubling of the memory size is required (32->64 MB for restricted and 64->128 MB for Unrestricted/Failover licenses). A 515(E) UR/FO can run 7.0 with 64 MB memory installed, but that is not recommended as larger configuration and session/xlate tables can exceed the available memory.
Description of hardware
The PIX was constructed using Intel-based/Intel-compatible motherboards; the PIX 501 used an AMD 5x86 processor, and all other standalone models used Intel 80486 through Pentium III processors. Nearly all PIXs used Ethernet
Ethernet
Ethernet is a family of computer networking technologies for local area networks commercially introduced in 1980. Standardized in IEEE 802.3, Ethernet has largely replaced competing wired LAN technologies....
NICs with Intel 82557, 82558, and 82559 network chipset
Chipset
A chipset, PC chipset, or chip set refers to a group of integrated circuits, or chips, that are designed to work together. They are usually marketed as a single product.- Computers :...
s, but some older models are occasionally found with 3COM
3Com
3Com was a pioneering digital electronics manufacturer best known for its computer network infrastructure products. The company was co-founded in 1979 by Robert Metcalfe, Howard Charney, Bruce Borden, and Greg Shaw...
3c590 and 3c595 Ethernet cards, Olicom-based Token-Ring cards, and Interphase-based FDDI cards.
Some Intel-based Ethernet cards for the PIX are identified at boot with the designation "mcwa". This designation denotes a multicast
IP Multicast
IP multicast is a method of sending Internet Protocol datagrams to a group of interested receivers in a single transmission. It is often employed for streaming media applications on the Internet and private networks. The method is the IP-specific version of the general concept of multicast...
receive bug
Software bug
A software bug is the common term used to describe an error, flaw, mistake, failure, or fault in a computer program or system that produces an incorrect or unexpected result, or causes it to behave in unintended ways. Most bugs arise from mistakes and errors made by people in either a program's...
in the card's firmware that the designers addressed with a feature they called Multi Cast Work Around.
Both the PIX 510 and 520 share basic components, such as motherboard, chassis, NICs, flash cards, etc., with the Cisco LocalDirector 416/420/430, the Cisco Service Selector Gateway 6510
Cisco SSG-6510
The Cisco SSG-6510 was a device introduced by Cisco in 1998 that allows dynamic direction of IP traffic to various services. It was typically deployed at the edge of a service provider's network where users would connect, log in, and be directed to whatever service they were paying for.The...
(SSG-6510), and the Cisco Cache Engine CE2050, though the latter two run VxWorks, rather than a Finesse derivative.
The PIX boots off a proprietary ISA
Industry Standard Architecture
Industry Standard Architecture is a computer bus standard for IBM PC compatible computers introduced with the IBM Personal Computer to support its Intel 8088 microprocessor's 8-bit external data bus and extended to 16 bits for the IBM Personal Computer/AT's Intel 80286 processor...
flash memory
Flash memory
Flash memory is a non-volatile computer storage chip that can be electrically erased and reprogrammed. It was developed from EEPROM and must be erased in fairly large blocks before these can be rewritten with new data...
daughtercard in the case of the NTI PIX, PIX Classic, 10000, 510, 520, and 535, and it boots off integrated flash memory in the case of the PIX 501, 506/506e, 515/515e, 525, and WS-SVC-FWM-1-K9.
The PIX technology implemented in the FWSM, for the Catalyst 6500 and the 7600 Router, has a part code of WS-SVC-FWM-1-K9.
The PIX535 has a PCI-X 66 MHz/64 bit bus for expansion slots. This results in a much higher cleartext throughput, as the PCI bus is no longer the bottleneck (the PCI bus is 33 MHz and 32 bits, resulting in maximum throughput of 1.2 GBit without overhead taken in account). As the lower Cisco ASA models use a PCI bus, the PIX535 was faster for cleartext than its successor ASA, until the introduction of the ASA5580.
Latest models
| Model | 501 | 506e | 515e | 525 | 535 | FWSM |
|---|---|---|---|---|---|---|
| Introduced | 2001 | 2002 | 2002 | 2000 | 2000 | 2003 |
| Discontinued | 2008 | 2008 | 2008 | 2008 | 2008 | |
| CPU Central processing unit The central processing unit is the portion of a computer system that carries out the instructions of a computer program, to perform the basic arithmetical, logical, and input/output operations of the system. The CPU plays a role somewhat analogous to the brain in the computer. The term has been in... type |
AMD SC520 5x86 AMD 5x86 The Am5x86 processor is an x86-compatible CPU introduced in 1995 by AMD for use in 486-class computer systems. It was one of the fastest, and most universally-compatible upgrade paths for users of 486 systems.... |
Intel Celeron Celeron Celeron is a brand name given by Intel Corp. to a number of different x86 computer microprocessor models targeted at budget personal computers.... (Mendocino SL36A) |
Intel Celeron Celeron Celeron is a brand name given by Intel Corp. to a number of different x86 computer microprocessor models targeted at budget personal computers.... (Mendocino SL3BA) |
Intel Pentium III Pentium III The Pentium III brand refers to Intel's 32-bit x86 desktop and mobile microprocessors based on the sixth-generation P6 microarchitecture introduced on February 26, 1999. The brand's initial processors were very similar to the earlier Pentium II-branded microprocessors... (Coppermine) |
Intel Pentium III Pentium III The Pentium III brand refers to Intel's 32-bit x86 desktop and mobile microprocessors based on the sixth-generation P6 microarchitecture introduced on February 26, 1999. The brand's initial processors were very similar to the earlier Pentium II-branded microprocessors... (Coppermine) |
One Intel Pentium III and three IBM IBM International Business Machines Corporation or IBM is an American multinational technology and consulting corporation headquartered in Armonk, New York, United States. IBM manufactures and sells computer hardware and software, and it offers infrastructure, hosting and consulting services in areas... 4GS3 PowerNP network processor Network processor A network processor is an integrated circuit which has a feature set specifically targeted at the networking application domain.Network processors are typically software programmable devices and would have generic characteristics similar to general purpose central processing units that are commonly... s |
| CPU speed | 133 MHz | 300 MHz | 433 MHz | 600 MHz | 1 GHz | 1 GHz |
| Chipset | AMD SC520 |
Intel 440BX Intel 440BX The Intel 440BX , is a chipset from Intel, supporting Pentium II, Pentium III, and Celeron processors. It is also known as the i440BX and was released in April 1998... Seattle |
Intel 440BX Intel 440BX The Intel 440BX , is a chipset from Intel, supporting Pentium II, Pentium III, and Celeron processors. It is also known as the i440BX and was released in April 1998... Seattle |
Intel 440BX Intel 440BX The Intel 440BX , is a chipset from Intel, supporting Pentium II, Pentium III, and Celeron processors. It is also known as the i440BX and was released in April 1998... Seattle |
Broadcom Broadcom Broadcom Corporation is a fabless semiconductor company in the wireless and broadband communication business. The company is headquartered in Irvine, California, USA. Broadcom was founded by a professor-student pair Henry Samueli and Henry T. Nicholas III from the University of California, Los... Serverworks RCC |
? |
| Default RAM | 16 MB | 32 MB | 64 (128) MB | 128 (256) MB | 512 (1024) MB | 1 GB |
| Boot flash device | Onboard | Onboard | Onboard | Onboard | ISA card & Onboard |
Onboard |
| Default flash | 8 MB | 8 MB | 16 MB | 16 MB | 16 MB | 128 MB |
| Boot flash chips | 1 x 28F640 | 1 x 28F640 | 1 x E28F128J3 | 1 x EF28F128J3 | 2 x i28F640J5 | ATA CompactFlash |
| PIX BIOS flash chips | 28F640 | AM29F400B | AM29F400B | AM29F400B/ E28F400B5T |
DA28F320J5 | |
| Minimum PIX OS version | 6.1(1) | 5.1(x) | 5.1(x) | 5.2(x) | 5.3(x) | FWSM 2.3(x) |
| Maximum PIX OS version officially supported | Latest 6.3(x) | Latest 6.3(x) | 8.0.4 | 8.0.4 | 8.0.4 | FWSM 4.0(x) |
| Max interfaces | 2 | 2 | 3(6) | 6(10) | 8(14) | |
| Fixed internal interface | 10 10BASE-T Ethernet over twisted pair technologies use twisted-pair cables for the physical layer of an Ethernet computer network. Other Ethernet cable standards employ coaxial cable or optical fiber. Early versions developed in the 1980s included StarLAN followed by 10BASE-T. By the 1990s, fast, inexpensive... /100baseT |
10/100baseT | 10/100baseT | 10/100baseT | No | No |
| Fixed external interface | 10/100baseT | 10/100baseT | 10/100baseT | 10/100baseT | No | No |
| PCI slots | 0 | 0 | 2 | 3 | 9 | 1 |
| Expansion cards supported | No | No | 1 port FE, 4 port FE, 1 port 1000baseSX |
1 port FE, 4 port FE, 1 port 1000baseSX |
1 port FE, 4 port FE, 1 port 1000baseSX |
Yes |
| Supports SSL VPN | No | No | No | No | No | No |
| VPN accelerator supported | No | No | Yes | Yes | Yes | No |
| Floppy drive | No | No | No | No | No | No |
| Failover Failover In computing, failover is automatic switching to a redundant or standby computer server, system, or network upon the failure or abnormal termination of the previously active application, server, system, or network... supported |
No | No | Yes | Yes | Yes | Yes |
| Model | 501 | 506e | 515e | 525 | 535 | FWSM |
Older models
| Model | NTI PIX | Classic 47-3158-01 |
10000 | 506 | 510 | 515 | 520 |
|---|---|---|---|---|---|---|---|
| Introduced | 1994 | 1995 | 1996 | 2000 | 1997 | 1999 | 1999 |
| Discontinued | 1995 | 1998 | 1998 | 2002 | 1999 | 2002 | 2001 |
| CPU Central processing unit The central processing unit is the portion of a computer system that carries out the instructions of a computer program, to perform the basic arithmetical, logical, and input/output operations of the system. The CPU plays a role somewhat analogous to the brain in the computer. The term has been in... type |
Intel 486DX2 Intel 80486DX2 The Intel 80486DX2 is a CPU produced by Intel that was introduced in 1992. The i486DX2 was nearly identical to the i486DX but for the addition of clock multiplier circuitry. It was the first chip to use clock doubling, whereby the processor runs two internal logic clock cycles per external bus cycle... / Intel Pentium |
Intel Pentium | Intel Pentium Pro Pentium Pro The Pentium Pro is a sixth-generation x86 microprocessor developed and manufactured by Intel introduced in November 1, 1995 . It introduced the P6 microarchitecture and was originally intended to replace the original Pentium in a full range of applications... |
Intel Pentium MMX |
Intel Pentium |
Intel Pentium MMX |
Intel Pentium II Pentium II The Pentium II brand refers to Intel's sixth-generation microarchitecture and x86-compatible microprocessors introduced on May 7, 1997. Containing 7.5 million transistors, the Pentium II featured an improved version of the first P6-generation core of the Pentium Pro, which contained 5.5 million... (Deschutes) |
| CPU speed | 66 / 90 MHz | 100~133 MHz | 200 MHz | 200 MHz | 166 MHz | 200 MHz | 233~350 MHz |
| Chipset | Intel 430FX/TX |
Intel 440FX Natoma |
Intel 430TX |
Intel 430TX |
Intel 430TX |
440LX/BX Balboa/ Seattle |
|
| Default RAM | 4 MB Megabyte The megabyte is a multiple of the unit byte for digital information storage or transmission with two different values depending on context: bytes generally for computer memory; and one million bytes generally for computer storage. The IEEE Standards Board has decided that "Mega will mean 1 000... |
8 MB | 16 MB | 32 MB | 16 MB | 32 (64) MB | 128 MB |
| Boot flash device | ISA card | ISA card | ISA card | Onboard | ISA card | Onboard | ISA card |
| Default flash | 512 KB | 512 KB / 2 MB |
2 MB | 8 MB | 2 MB | 16 MB | 2 MB / 16 MB |
| Boot flash chips | 2 x i28f020 | 2 x i28f020 / 4 x 29C040 |
4 x 29C040 | 1 x i28F640J5 | 4 x 29C040 | 2 x i28F640J5 | 4 x 29C040 / 2 x i28F640J5 |
| PIX BIOS flash chips | AM28F256 | AM28F256 | AM28F256 | AT29C257 | AM28F256 | AT29C257 | AM28F256/ AT29C257 |
| Minimum PIX OS version | 1.x | 2.x | 4.4(x) | 4.4(x) | 4.4(x) | 5.1(x) | 4.4(x) |
| Maximum PIX OS version | 4.2(2) | 4.2(2) 5.1(x) |
5.1(x) | Latest 6.3(x) | 5.3(4) | Latest 8.x | Latest 6.3(x) |
| Max interfaces | 2 | 6(3) | 8(6) | ||||
| Fixed internal interface | No | No | No | 10baseT | No | 10/100baseT | No |
| Fixed external interface | No | No | No | 10baseT | No | 10/100baseT | No |
| PCI slots | ? | 4 | 4 | 0 | 4+ | 2 | 4+ |
| Expansion cards supported | ? | 1 port FE, 1 port Token Ring IBM token ring thumb|Two examples of token ring networks: a) Using a single [[Media Access Unit|MAU]] b) Using several MAUs connected to each otherthumb|Token ring networkthumb|IBM hermaphroditic connector with locking clipthumb|An IBM 8228 MAU... , 1 port FDDI |
1 port FE, 1 port Token Ring, 1 port FDDI |
No | 1 port FE, 1 port Token Ring, 1 port FDDI |
1 port FE, 4 port FE, 1 port 1000baseSX |
1 port FE, 4 port FE, 1 port 1000baseSX |
| VPN accelerator supported | Yes | Yes | Yes | No | Yes | Yes | Yes |
| Floppy drive | Yes | Yes | Yes | No | Yes | No | Yes |
| Failover Failover In computing, failover is automatic switching to a redundant or standby computer server, system, or network upon the failure or abnormal termination of the previously active application, server, system, or network... supported |
No | No/Yes | Yes | No | Yes | Yes | Yes |
| Model | NTI PIX | Classic | 10000 | 506 | 510 | 515 | 520 |
---Information on models supported as of 6/27/2005 verified from Cisco's PIX Brochure (page 2) and the specific product pages
Performance specifications
| Model | PIX Classic | PIX 10000 | PIX 501 | PIX 506 | PIX 506e | PIX 510 | PIX 515 | PIX 515e | PIX 525 | PIX 535 | ASA 5520 | FWSM | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Cleartext throughput Throughput In communication networks, such as Ethernet or packet radio, throughput or network throughput is the average rate of successful message delivery over a communication channel. This data may be delivered over a physical or logical link, or pass through a certain network node... , Mbit/s |
90 | 60 | 20 | 100 | 147 | 190 | 240 | 330 | 1655 | 450 | 5500 | ||
| 56-bit DES Data Encryption Standard The Data Encryption Standard is a block cipher that uses shared secret encryption. It was selected by the National Bureau of Standards as an official Federal Information Processing Standard for the United States in 1976 and which has subsequently enjoyed widespread use internationally. It is... throughput, Mbit/s |
6 | 20 | n/a | n/a | n/a | n/a | ? | n/a | |||||
| 168-bit Triple DES Triple DES In cryptography, Triple DES is the common name for the Triple Data Encryption Algorithm block cipher, which applies the Data Encryption Standard cipher algorithm three times to each data block.... throughput, Mbit/s |
3 | 6 | 16 | 10 / 63 (135) | 20 / 63 (135) | 20 | 30 / 72 (145) | 50 / 100 (425) | 225 | n/a | |||
| AES Advanced Encryption Standard Advanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES... -128 throughput, Mbit/s |
4.5 | 30 | 45 / 130 | 65 / 135 | 110 / 495 | 225 | n/a | ||||||
| AES Advanced Encryption Standard Advanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES... -256 throughput, Mbit/s |
3.4 | 25 | 35 / 130 | 50 / 135 | 90 / 425 | 225 | n/a | ||||||
| Max simultaneous connections | 16,000 | 7,500 | 10,000 | 25,000 | 64,000 / 128,000 | 48,000 / 130,000 | 256,000 | 140,000 / 280,000 | 250,000 / 500,000 | 280,000 | 999,900 total / 100,000 per second | ||
| Max simultaneous hosts (users) | 10 / 50 / Unlimited | Unlimited | Unlimited | 128 / 1000 / unlimited | Unlimited | Unlimited | ? | 256,000 | |||||
| Max number of ACL Access control list An access control list , with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject... entries |
? | 80,000 | |||||||||||
| Max simultaneous VPN peers | 10 | 25 | 25 | 0 / 2000 | 0 / 2000 | 0 / 2000 | 750 IPSec, 750 SSL | n/a | |||||
| Model | PIX Classic | PIX 10000 | PIX 501 | PIX 506 | PIX 506e | PIX 510 | PIX 515 | PIX 515e | PIX 520 | PIX 525 | PIX 535 | ASA 5520 | FWSM |
---Information on models supported as of 6/27/2005 verified from Cisco's PIX Brochure (page 2) and the specific product pages
List of part numbers for PCI, ISA, and EISA expansion cards
- Flash cards
- ??? - 512 kB ISA flash card used in the original NTI PIX, PIX Classic and 10000. It is manufactured by Productivity Enhancement Products. Aside from progressive manufacturing refinements, the 512 KB and 2 MB flash cards were identical aside from the chips that populated it. Both booted from a 28F256 chip, but the 512 KB card only populated two of the flash sockets with 28F020 chips, while the 2 MB card populated all four sockets with 29C040 chips
- ??? - 2 MB ISA flash card used in the PIX Classic, 10000, 510, and 520, as well as the SSG-6510 and many LocalDirectors. It is manufactured by Productivity Enhancement Products.
- PIX-FLASH-16MB - 16 MB ISA flash card for the PIX 510, 520, and 535. It is manufactured by Productivity Enhancement Products.
- Ethernet cards
- PIX-1GE-66 - 64 bit/66 MHz PCI 1000baseSX card for PIX 53x. Based on the Intel Pro/1000-F fiber network card using the Intel TL82543GC (Intel code name "Livengood") ASIC (PWLA8490sx http://www.intel.com/support/network/sb/cs-012904.htm). The 1000baseT variant of this card, the Intel Pro/1000-t Server adapter (PWLA8490t http://www.intel.com/support/network/sb/cs-012904.htm), is not supported by PIX OS, due to Carrier Extension http://www.cisco.com/web/about/ac123/ac147/ac174/ac199/about_cisco_ipj_archive_article09186a00800c85a6.html interoperability problems with early 1000baseT switch products http://www.cisco.com/en/US/products/hw/switches/ps700/products_field_notice09186a0080174a72.shtml.
- PIX-1GE - 32 bit/33 MHz PCI 1000baseSX card for PIX 52x. Based on the Intel PWLA8490 Pro/1000 fiber network card with the 82542 (Intel code name "Wiseman") chipset. The ASIC used on this card is the LSI L2A1157/695314-003. http://www.intel.com/support/network/sb/cs-012904.htm. There is no 1000baseT variant of this card. In the release notes for PIX OS 6.02, Cisco advises against installing this card in the 525 and 535 http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_release_note09186a008057bf29.html, referencing caveat CSCdu00850, although this caveat actually only lists the PIX 535, which is the only model with a 66 MHz PCI bus.http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_field_notice09186a00800940f4.shtml
- PIX-4FE-66 - 64 bit/66 MHz PCI Four port 10/100 Fast Ethernet card. Based on the Intel 82559 chipset. Uses a DECDigital Equipment CorporationDigital Equipment Corporation was a major American company in the computer industry and a leading vendor of computer systems, software and peripherals from the 1960s to the 1990s...
21154BE bridge chip. - PIX-4FE - 32 bit/33 MHz PCI Four port 10/100 Fast Ethernet card. Based on the Intel 82558b chipset. Uses an Intel 21154AC or DEC 21154AB bridge chip.
- PIX-1FE - 32 bit/33 MHz PCI Single-port 10/100 Fast Ethernet card. Based on the Intel Pro/100+ family with the 82557, 82558 and 82559 chipsets.
- ??? - 3COM3Com3Com was a pioneering digital electronics manufacturer best known for its computer network infrastructure products. The company was co-founded in 1979 by Robert Metcalfe, Howard Charney, Bruce Borden, and Greg Shaw...
3c590 and 3c595 PCI NICs occasionally found in NTI PIX, PIX Classic, 10000, 510, 515, and 520. Mentioned in version 4.4.1 install guide and supported through at least PIX OS 5.1.5 http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_release_note09186a008059f93b.html. Since these are off-the-shelf PC components predating the creation of the PIX, there may not be PIX-specific part numbers for these at all.
- VPN/Encryption acceleration cards
- PIX-VAC-PLUS - 64 bit/66 MHz PCI IPSecIPsecInternet Protocol Security is a protocol suite for securing Internet Protocol communications by authenticating and encrypting each IP packet of a communication session...
Hardware VPN Accelerator Card, identified by PIX OS as a PIX-VAC+. Supported by the 515, 515e, 520, 525, and 535 running PIX OS 6.3(1) or higher. Accelerates DES, Triple DES, and AES. Part number 74-3176-01. Uses the BroadcomBroadcomBroadcom Corporation is a fabless semiconductor company in the wireless and broadband communication business. The company is headquartered in Irvine, California, USA. Broadcom was founded by a professor-student pair Henry Samueli and Henry T. Nicholas III from the University of California, Los...
BCM5823KPB-5 chip. - PIX-VPN-ACCEL - 32 bit/33 MHz PCI IPSecIPsecInternet Protocol Security is a protocol suite for securing Internet Protocol communications by authenticating and encrypting each IP packet of a communication session...
Hardware VPN Accelerator Card, identified by PIX OS as a PIX-VAC. Accelerates DES and Triple DES. This is a repackaged IRE SafeNet CryptPCI 413-10004 rev 2.3 card. It uses the Analog DevicesAnalog DevicesAnalog Devices, Inc. , known as ADI, is an American multinational semiconductor company specializing in data conversion and signal conditioning technology, headquartered in Norwood, Massachusetts...
ADSP-2141L chip. Its part number is 74-1908-01. - PIX-PL2 - 32 bit/33 MHz PCI proprietary DESData Encryption StandardThe Data Encryption Standard is a block cipher that uses shared secret encryption. It was selected by the National Bureau of Standards as an official Federal Information Processing Standard for the United States in 1976 and which has subsequently enjoyed widespread use internationally. It is...
encryptionEncryptionIn cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...
card (discontinued and unsupported from PIX OS 6.0.1 on). It is manufactured by Productivity Enhancement Products. - PIX-PL - 32 bit/8 MHz EISAExtended Industry Standard ArchitectureThe Extended Industry Standard Architecture is a bus standard for IBM PC compatible computers...
encryption card found in some early PIXs. It is manufactured by Productivity Enhancement Products.
- PIX-VAC-PLUS - 64 bit/66 MHz PCI IPSec
- FDDI and Token Ring cards
- PIX-1TR - 32 bit/33 MHz 4/16 Mbit/s PCI Token RingIBM token ringthumb|Two examples of token ring networks: a) Using a single [[Media Access Unit|MAU]] b) Using several MAUs connected to each otherthumb|Token ring networkthumb|IBM hermaphroditic connector with locking clipthumb|An IBM 8228 MAU...
card based on the Olicom OC-3137/PE-67597 (discontinued and unsupported from PIX OS 6.0.1 on). - PIX-FDDI - 32 bit/33 MHz 100 Mbit/s SC duplex PCI FDDI card based on the Interphase 5511 FDDI card (PB05511-002). It was discontinued and unsupported from PIX OS 6.0.1 on.
- PIX-1TR - 32 bit/33 MHz 4/16 Mbit/s PCI Token Ring
Footnotes
Only the first few NTI PIXs came with the 486 processor; the rest came with a Pentium processor.The "inside" port is connected to an internal, unmanaged, auto-polarity 4 port switch
Network switch
A network switch or switching hub is a computer networking device that connects network segments.The term commonly refers to a multi-port network bridge that processes and routes data at the data link layer of the OSI model...
.
Restricted package / Unrestricted package limits (referred to by Cisco as R and UR/FO/FO-AA, respectively). For PIX-525, RAM configurations above 384 MB are not supported by Cisco however up to 3x 256 MB work for a maximum of 768 MB.
According to Cisco, the 1000baseSX card is not officially supported by the 515/515e, but it will work.
VAC acceleration vs VAC+ (in parenthesis) acceleration (Implies Unrestricted package).
Older 520s made before February 2000 and with a serial number less than 18025677 shipped with a 2 MB flash card. Newer 520s shipped with a 16 MB flash card http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_eol_notice09186a008032d3af.html.
The WS-SVC-FWM-1-K9 blade has no fixed ports or internal expansion; it makes use of either VLAN interfaces (being used by physical interfaces on a remote switch) or the physical interfaces on the switch/router it is installed in.
PIX Classic firewalls with a serial number of 06002015 or lower came with a 512 KB flash card. Newer models came with a 2 MB flash card http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_eol_notice09186a008032d39e.html.
The WS-SVC-FWM-1-K9 blade only supports IPSec VPN for management. It doesn't have the ability to terminate a VPN connection for remote users.
The PIX 520 received updated PII processors as they became available, starting with the PII 233 and ending with the PII 350. The Intel-manufactured SE440BX-2 ATX
ATX
ATX is a motherboard form factor specification developed by Intel in 1995 to improve on previous de facto standards like the AT form factor. It was the first big change in computer case, motherboard, and power supply design in many years, improving standardization and interchangeability of parts...
motherboard in the 520 can support any Slot1
Slot 1
Slot 1 refers to the physical and electrical specification for the connector used by some of Intel's microprocessors, including the Pentium Pro, Celeron, Pentium II and the Pentium III...
processor from the Celeron
Celeron
Celeron is a brand name given by Intel Corp. to a number of different x86 computer microprocessor models targeted at budget personal computers....
Covington, Celeron Mendocino, Pentium II
Pentium II
The Pentium II brand refers to Intel's sixth-generation microarchitecture and x86-compatible microprocessors introduced on May 7, 1997. Containing 7.5 million transistors, the Pentium II featured an improved version of the first P6-generation core of the Pentium Pro, which contained 5.5 million...
Klamath, Pentium II Deschutes, and the Pentium III
Pentium III
The Pentium III brand refers to Intel's 32-bit x86 desktop and mobile microprocessors based on the sixth-generation P6 microarchitecture introduced on February 26, 1999. The brand's initial processors were very similar to the earlier Pentium II-branded microprocessors...
Katmai families, as long as the cpu uses 2.0 V core voltage and can run on a 66 or 100 MHz fsb
Front side bus
A front-side bus is a computer communication interface often used in computers during the 1990s and 2000s.It typically carries data between the central processing unit and a memory controller hub, known as the northbridge....
. One may also use 133 MHz FSB CPUs, but they will run at lower speeds, for example a 933 MHz CPU for 133 MHz FSB will only run at 700 MHz. A slotket
Slotket
In computer hardware terminology, slotkets, also known as slockets, are adapters that allow socket-based microprocessors to be used on slot-based motherboards....
can also be used to install the newer 500 MHz - 1.1 GHz Socket 370 Pentium III Coppermine cpus, as long as the slotket provides a voltage regulator and manual bus speed selector. Using the PowerLeap PL-iP3 converter, Tualatin processors can be used. A BIOS upgrade to the latest level of the SE440-BX2 is required. Using the bus-speed settings on the Powerleap, speeds of 1.6 GHz are possible.
The PIX 520 rev A firewalls may use the Intel AL440LX motherboard instead of the SE440BX-2. The AL440LX may be replaced by a SE440BX-2 motherboard, which is found in the 520 rev B.
Cannot be easily upgraded, due to clearance issues with the top cover.
In early 2005, Cisco indicated that PIX OS 7.x would only support the 515, 515e, 525, and 535, while a "stripped-down" version would eventually be released for the 501 and 506e. While not officially supported, it is actually possible to update the 506E to 7.x code by removing all GUI management software.
The maximum OS version one can run with a 512 KB card is 4.2(2). The maximum OS version one can run with a 2 MB card is 5.1(x). The maximum OS version with a 16 MB card is 6.3(5), unless one is using a PIX 535. OS version 5.2(4) and higher explicitly does not support the Intel 440FX chipset.
Shows flash chips on the 2 MB flash card versus the chips on the 16 MB flash card.
Various models of the 525 use different flash chips, probably due to differing production runs.
Shows flash chips on the 512 KB flash card versus the chips on the 2 MB flash card.
While the PIX 535 boots off of the same ISA flash card as some PIX 510s and 520s (the PIX-FLASH-16MB) its newer on-board PIX BIOS (version 4.x) overrides the PIX BIOS on the flash card (version 3.6) at boot.
Since both the 510 and 520 have standard ATX motherboards, the PCI slot count can be higher or lower than the default if the motherboard is replaced with a different one.
The performance figures cited here are highly changeable, as one can upgrade the CPU in the PIX 520 to a 1 GHz Pentium III, which will considerably increase its throughput in all of the below categories, putting it on a level with the 525 and 535.
According to a 2000 field notice, due to a "procedural error", PIX 525s with serial numbers 44480380055 through 44480480044 were manufactured with erroneous or omitted EEPROM
EEPROM
EEPROM stands for Electrically Erasable Programmable Read-Only Memory and is a type of non-volatile memory used in computers and other electronic devices to store small amounts of data that must be saved when power is removed, e.g., calibration...
programming in their 82559 chips that caused the onboard FastEthernet ports to behave erratically when set to full-duplex. Starting with PIX OS 5.3.1, the "eeprom update" command will reprogram the defective data and restore normal operation permanently. Viewing the field notice requires registration http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_field_notice09186a00800949c4.shtml.
Most, if not all, 525s in use today within that range have likely been corrected, but an unused or unopened unit within that range would still need the corrective action to be taken.
It is theoretically possible to upgrade the Socket 8
Socket 8
The Socket 8 CPU socket was used exclusively with the Intel Pentium Pro and Pentium II Overdrive computer processors. Intel discontinued Socket 8 in favor of Slot 1 with the introduction of the Pentium II.-Technical specifications:...
Pentium Pro
Pentium Pro
The Pentium Pro is a sixth-generation x86 microprocessor developed and manufactured by Intel introduced in November 1, 1995 . It introduced the P6 microarchitecture and was originally intended to replace the original Pentium in a full range of applications...
processor in the PIX Classic and 10000 with either an Intel Pentium II Overdrive (300 or 333 MHz depending on the system bus speed)http://www.intel.com/pressroom/archive/releases/DP081098.HTM or a Powerleap PL-Pro/II Celeron
Celeron
Celeron is a brand name given by Intel Corp. to a number of different x86 computer microprocessor models targeted at budget personal computers....
adapter http://www.powerleap.ca/Products/PL-Pro-II.htm, both of which are long out of production. The Powerleap adapter natively can allow use of a 300 - 533 MHz Mendocino Celeron PPGA processor. Coupled with the Powerleap Neo S370 FC-to-PPG adapter, one can use a 533 - 766 MHz FC-PGA Coppermine-128 Celeron processor. However, the 60 or 66 MHz bus (no 100 MHz bus) and 72-pin SIMM
SIMM
A SIMM, or single in-line memory module, is a type of memory module containing random access memory used in computers from the early 1980s to the late 1990s. It differs from a dual in-line memory module , the most predominant form of memory module today, in that the contacts on a SIMM are redundant...
memory limitations of the workstation-style 440FX board used limit the potential gains in performance to be had from such upgrades. Upgrading the motherboard to a compatible server-style 440FX board with DIMM
DIMM
A DIMM or dual in-line memory module, comprises a series of dynamic random-access memory integrated circuits. These modules are mounted on a printed circuit board and designed for use in personal computers, workstations and servers...
slots may allow for the use of the 440FX chipset's theoretical limit of 1 GB of RAM, although if the motherboard is to be replaced, it may arguably be more cost-efficient to upgrade to a SE440BX-2 motherboard with a slocket and Tualatin Celeron CPU. It is also worthwhile to note that PIX OS later than 5.3.4 explicitly does not support the 440FX chipset.
The PIX 525 is known to come with a variety of processors including 1.65 V 600 MHz (SL3VH) and 1.75 V 600 MHz (SL5BT). It would appear that all 1.65 V to 1.75 V 100 MHz FSB CPUs would work, this has been substantiated to 1000 MHz with a SL5QV 1.75 V CPU.
The first PIX Classics did not support failover. Only after this feature debuted with the LocalDirector did it come to be included in the later PIX Classics.
Proof of successful overclocking of Cisco Pix 506E with mainboard, socket and circuits modification for 1.2 GHz P3(Tualatin core) is on the photos. This mod was done by someone called i8.
External links
- A basic configuration guide for the PIX
- Cisco's website for the ASA 5500 Series
- Cisco's website for the PIX series
- PIX Simulator
The following links may require a free registration at Cisco's website to view.