© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 4 Cisco PIX Firewall Family

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Objectives

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Objectives Upon completion of this chapter, you will be able to perform the following tasks: Identify the PIX Firewall models. Describe the key features of the PIX Firewall 501, 506E, 515E, 525, and 535. Identify the PIX Firewall 501, 506E, 515E, 525, and 535 controls, connectors, and LEDs. Identify the PIX Firewall 501, 506E, 515E, 525, and 535 interfaces.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Objectives (cont.) Describe the key features of the Firewall Services Module for the Cisco Catalyst 6500 Switch and the Cisco 7600 Series Internet Router. Identify the switch and router slots in which the Firewall Services Module can be installed. Identify and describe LEDs which display the status of the Firewall Services Module. Explain the PIX Firewall licensing options.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA PIX Firewall Models

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA SMB Price Functionality Gigabit Ethernet PIX Firewall Family Enterprise ROBO PIX 515E PIX 525 PIX 535 SOHO PIX 501 PIX 506E SP

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA PIX Firewall 501 Designed for small offices and teleworkers 3,500 simultaneous connections 10 Mbps cleartext throughput 133 MHz processor 16 MB of SDRAM Supports one 10BaseT Ethernet interface (outside) and a 4-port 10/100 switch (inside) 3 Mbps 3DES throughput 5 simultaneous VPN peers

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA PIX Firewall 501 Front Panel LEDs VPN tunnel Power 100 MBPS Link/Act

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA PIX Firewall 501 Back Panel Security lock slot Power connector 10BaseT (RJ-45) Console port (RJ-45) 4-port 10/100 switch (RJ-45)

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA PIX Firewall 506E Designed for small and remote offices 10,000 simultaneous connections 20 Mbps cleartext throughput 300-MHz Intel Celeron processor 32 MB RAM Supports two interfaces (10BaseT) 16 Mbps 3DES throughput 25 simultaneous VPN peers

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA PIX Firewall 506E Front Panel LEDs Network LED Active LED Power LED

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA PIX Firewall 506E Back Panel LINK LED Console Port (RJ-45) Power switch USB port ACT(ivity) LED 10BaseT (RJ-45) 10BaseT (RJ-45) ACT(ivity) LED LINK LED

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA PIX Firewall 515E Designed for small to medium businesses 128,000 simultaneous connections 188 Mbps cleartext throughput 433-MHz Intel Pentium Celeron processor 64 MB RAM Supports six interfaces Supports failover 63 Mbps 3DES throughput 2,000 IPSec tunnels

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA PIX Firewall 515E Front Panel LEDs Network LED Power LED Active failover firewall

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA PIX Firewall 515E Back Panel Failover connector FDX LED LINK LED 100 Mbps LED FDX LED Console port (RJ-45) 10/100BaseTX Ethernet 1 (RJ-45) Power switch LINK LED 100 Mbps LED 10/100BaseTX Ethernet 0 (RJ-45) LINK LED

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA PIX Firewall 515E Quad Card Using the quad card requires the PIX Firewall 515E-UR license.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA PIX Firewall 515E Two Single-Port Connectors Using two single-port connectors requires the PIX Firewall 515E-UR license.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA PIX Firewall 525 Designed for enterprise 280,000 simultaneous connections 360 Mbps cleartext throughput 600-MHz Intel Pentium III processor 256 MB RAM Supports eight interfaces Supports failover 70 Mbps 3DES throughput 2,000 IPSec tunnels

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA PIX Firewall 525 Front Panel LEDs Power LED Active LED

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA PIX Firewall 525 Back Panel 100Mbps LED ACT(ivity) LED LINK LED LINK LED Failover connection 10/100BaseTX Ethernet 1 (RJ-45) 10/100BaseTX Ethernet 0 (RJ-45) USB port Console port (RJ-45)

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA PIX Firewall 535 Designed for enterprise and service providers 500,000 simultaneous connections 1.7 Gbps cleartext throughput 1 GHz Intel Pentium III processor 1 GB RAM Maximum of 10 interfaces Supports failover 96 Mbps 3DES throughput 2,000 IPSec tunnels

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA PIX Firewall 535 Front Panel LEDs Power ACT

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Bus 0 (64-bit/66 MHz) Bus 1 (64-bit/66 MHz) Bus 2 (32-bit/33 MHz) 1FE 4FE VAC 1GE-66 PIX Firewall 535Board Install DB-15 failover Console RJ-45 USB port Slot 8 Slot 7 Slot 6 Slot 5 Slot 4 Slot 3 Slot 2 Slot 1 Slot 0

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA PIX Firewall 535 Back Panel DB-15 failover Slot 8 Slot 7 Slot 6 Slot 5 Slot 4 Slot 3 Slot 2Slot 1 Slot 0Console RJ-45 USB port

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Firewall Services Module

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA FWSM Designed for high end enterprise and service providers Runs in Catalyst 6500 switches and 7600 Series routers Based on PIX Firewall technology PIX Firewall 6.0 feature set (some 6.2) 1 million simultaneous connections Over 100,000 connections per second 5 Gbps throughput 1 GB DRAM Supports 100 VLANs Supports failover

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA FWSM in the Catalyst 6500 Switch Supervisor engine Redundant supervisor engine Switching modules Fan assembly Power supply 1 Power supply 2 ESD ground strap connector FWSM

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA FWSM in the Cisco 7609 Internet Router OSMs Redundant supervisor engine FWSM Fan assembly Power supply 1 Power supply 2 Switch fabric module Supervisor engine Redundant switch fabric module ESD ground strap connection Slots 1-9 (right to left)

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA PIX Firewall Licensing

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA License Types UnrestrictedAllows installation and use of the maximum number of interfaces and RAM supported by the platform. RestrictedLimits the number of interfaces supported and the amount of RAM available within the system. FailoverPlaces the PIX Firewall in a failover mode for use along side another PIX Firewall with an Unrestricted license.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Adding VPN Capabilities DES Activation KeyProvides 56-bit DES. 3DES Activation KeyProvides 168-bit 3DES.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Summary

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Summary There are currently five PIX Firewall models in the 500 series: 501, 506E, 515E, 525, and 535. The PIX Firewall models 501, 506E, 515E, 525, and 535 come equipped with Ethernet connections, console connections, and intuitive LEDs. PIX Firewall models 515E, 525, and 535 support failover. Your PIX Firewall license determines its level of service in your network and the number of interfaces it supports.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Summary (cont.) Restricted, Unrestricted, and Failover licenses are available for PIX Firewall models 515E, 525, and 535. Based on PIX Firewall technology, the Firewall Services Module for the Cisco Catalyst 6500 Switch and Cisco 7600 Series Internet Routers provides an alternative to the PIX Firewall appliance. FWSM supports PIX Firewall software version 6.0 feature set as well as some of the 6.2 feature set. FWSM delivers Gbps throughput and 1 million concurrent connections.