Re: Cisco Firewall Comparison

Thanks for posting that. You give more useful information than Cisco's
website. Some interesting limits on the DHCP stuff.

A coworkers was looking to size up small firewall/vpn devices for a
small company that would need a mix of 10-20 offices and up to 50
workers. SOmeone recommended the PIX 501 because it was "easier to
manage than other firewall/vpn products" (specifically Checkpoints),
and "cheaper". I kinda scratched my head on that one cause I didn't
think the first was true at all and I wonder about the second.

I found Checkpoints easier to manage by a long shot. And if you buy a
Checkpoint appliance and avoid building a server-based firewall it
elimiantes the worst part of the setup.

roberson@ibd.nrc-cnrc.gc.ca (Walter Roberson) wrote:

>In article <Jkrjf.110600$Es4.32936@fe2.news.blueyonder.co.uk>,
>Gary <me@me.com> wrote:
>>Could anyone tell me whether the Cisco PIX 501 and 515 firewalls use the
>>same ADSM software?
>
>The Cisco PIX 501 does not use ADSM at all.
>The Cisco PIX 515 uses ADSM only in software version 7.0 and later.
>
>>Are there any major feature differences between the two except for
>>throughput and number of simultaneous users.
>
>Software version 7.0 (which is quite different than 6.x) is supported
>on the 515 but not on the 501.
>
>>We have a 515 at work and I was wondering whether I could use a 501 at home
>>to become familiar with the equipment.
>
>The detailed differences for the 6.x software stream are as
>follows. This is an extract of a table I created and pubished in the
>past in the main Cisco newsgroup, comp.dcom.sys.cisco
> Cisco PIX Model Comparisons
>
>501:
>- 133 MHz AMD SC520 processor; bus is one 32-bit 33 MHz PCI
>- 16 Mb of SDRAM; 8 Mb of flash
>- no Turbo ACL
>- 'configure factory-default' *is* available
>- dhcp pool of 32 addresses for 10 user licenses
>- dhcp pool of 128 addresses for 50 user licenses
>- dhcp pool of 253 addresses for unlimited user licenses
> [according to 'configure factory-default ip-address netmask']
>- dhcp pool of 256 addresses for unlimited user licences
> (requires netmask larger than /24)
> [according to 'dhcpd address']
>- no manual configuration of SAs
>- failover NOT supported; 'write standby' NOT supported
>- no OSPF support
>- number of 'local hosts' limited by purchased license
>- no 'sysopt ipsec pl-compatible' -- no support for Private Link
>- Easy VPN Remote supported
>- "early versions" restricted to 256 Kb configuration file
> (not clear whether this is early hardware or early 6.x software)
> [according to 6.3 release notes]
>- no support for VAC (VPN Accelerator Card)
>- no support for VAC+ (VPN Accelerator Card+)
>- 2 physical interfaces supported in all licenses. NO possibility
> of expansion.
>- inside interface always shows up as 100000 Kbit full duplex in
> 'show interface' (6.3(1))
> [according to PIX Command Reference]
>- inside interface is a 4 port switch, with no way to address or
> configure or show information for the individual switch ports.
>- no support for 802.1Q VLANs (logical interfaces)
>- 60 Mbps cleartext, 7500 concurrent connections, 6 Mbps DES,
> 3 MBps 3DES, 4.5 Mbps AES-128
>- 10 VPN peers (6.3(1))
>
>
>515/515E:
>- 515 has 200 MHz Intel Pentium CPU
>- 515E has 433 MHz Intel Celeron processor; bus is one 32-bit 33 MHz PCI
>- 515E has 32 or 64 Mb SDRAM; 16 Mb flash
>- Turbo ACL support
>- 'configure factory-default' NOT available
>- dhcp pool of 256 addresses per interface
> (requires netmask larger than /24)
> [according to 'dhcpd address']
>- manual configuration of SAs allowed
>- failover okay with Unrestricted license; 'write standby' supported
> (note: 515E cannot be used with 515, both must be the same)
>- OSPF support available
>- Private Link supported via 'sysopt ipsec pl-compatible'
>- Easy VPN Remote NOT supported
>- 515: no support for VAC (or possibly just never sold with VAC)
>- 515E: support for VAC. VAC included in Unrestricted and Failover models.
>- support for VAC (VPN Accelerator Card)
>- support for VAC+ (VPN Accelerator Card+)
>- Restricted license: 3 physical interfaces, 3 802.1Q VLAN, 5 total
> Unrestricted: 6 physical interfaces, 6 802.1Q VLAN, 10 total
> [according to Configuration Guide and later version of PIX Command Reference]
>- 4 to 8 802.1Q VLANs (logical interfaces) supported depending on license
> [according to earlier version of PIX Command Reference]
>- 2000 VPN peers
>- 515: up to 68000 simultaneous connections (4.4(1) - 6.0 timeframe)
> [125000 simultaneous connections according to Cisco's Noble Institute
> case- study; this might have been Unrestricted]
>- 515: maximum 10 Mbps VPN throughput
> [according to 506E/515E Q&A; 6.1(2) timeframe, might have improved later]
>- 515E: 188 Mbps cleartext, 130000 concurrent connections,
> 63 Mbps 3DES (VAC) / 140 Mbps 3DES (VAC+), 135 Mbps AES-128 (VAC+),
> 140 Mbps AES-256 (VAC+)
>- 515E: Maximum 22 Mbps VPN throughput (without VAC), 63 Mbps VPN (VAC)
> [according to 506E/515E Q&A; 6.1(2) timeframe, might have improved later]
Received on Sun Dec 11 14:24:12 2005