Cisco PIX Firewall and ASA Models
To implement a Cisco PIX or ASA in a given network, you need only purchase the PIX or ASA hardware and software from Cisco. Cisco PIXs come in all sizesfrom small office/home office (SOHO) models to large enterprise or service provider models. The trick is to know what size PIX or ASA is appropriate for your network. In general, you can classify the PIX or ASA products into three solutions:
The PIX 501 is the model designed for the SOHO market and comes with a built-in four-port switch. The PIX 501 is primarily intended for offices of fewer than 10 internal users (although it can be licensed for 10, 50, or unlimited users) and for use as the termination point for a single VPN connection, typically to a central office or a small number of remote clients. The next model up is the PIX 506E, which is designed for the small office/remote office market and comes with two Fast Ethernet ports. The PIX 506E is primarily intended for offices of fewer than 100 internal users and for use as the termination point of no more than 25 VPN connections (either remote users or remote office connections). Both the PIX 501 and 506E can only run PIX software in the 6.x code branch (latest version is 6.3(5) at the time of this writing).
Medium- to Large-Office Solution
The first model designed for medium-sized to large offices is the PIX 515E. This model comes in a 1U form factor with two built-in Fast Ethernet ports and two PCI expansion slots that can accommodate additional Fast Ethernet ports or an optional VPN acceleration card (VAC) (this is standard on unrestricted, failover [active/passive] and failover [active/active] models). The PIX 515E can be used simultaneously to terminate up to 2000 VPN tunnels (either terminating connections from remote locations or remote users). The PIX 515E can also be configured to support active/active and active/passive failover and redundancy for high-availability requirements. It is difficult to quantify users that a PIX 515E can support. Instead, the performance of the PIX 515E (and larger firewalls) is quantified in throughput and concurrent connections. The PIX 515E supports a cleartext throughput of 190 Mbps and 130,000 concurrent connections.
The medium- to large-office market is also the market segment that the Cisco ASA is initially targeted at. Both the ASA 5510 and the ASA 5510 Security Plus are effective solutions. The ASA 5510 Security Plus product is essentially a software upgrade that permits more users, network interfaces, and VLANs, and that introduces high availability to the ASA 5510. The ASA 5510 supports three Fast Ethernet ports (five with the Security Plus). The ASA 5510 supports a cleartext throughput of 300 Mbps and 50,000 concurrent connections; the ASA 5510 Security Plus increased the concurrent connections to 130,000 (throughput remains the same).
Enterprise Office and Service Provider Solution
The next two models of the PIX firewall are designed specifically for large enterprises and service providers: the PIX 525 and 535. The 525 is produced in a 2U form factor and can accommodate up to ten Fast Ethernet or two Fast Ethernet and three Gigabit Ethernet interfaces. The PIX 535 also comes in a 2U form factor and can accommodate 14 Fast Ethernet or 9 Gigabit Ethernet interfaces. Both models provide all manner of high-availability functionality such as zero-downtime upgrade and VPN stateful failover as well as all the features of previous PIX models. The PIX 525 supports a cleartext throughput of 330 Mbps and 280,000 concurrent connections. The PIX 535 supports a cleartext throughput of 1.7 Gbps and 500,000 concurrent connections.
For the ASA, the ASA 5520 and 5540 were designed with the enterprise and service provider market in mind. Both build upon the basic features of the ASA 5510 and support 4 10/100/1000 and 1 10/100 interfaces. The ASA 5520 and 5540 also support a greater number of VLANs and the use of security contexts (if licensed). The ASA 5520 supports a cleartext throughput of 450 Mbps and 280,000 concurrent connections; the ASA 5540 supports a cleartext throughput of 650 Mbps and 400,000 concurrent connections.
Because of the fundamental similarities between the PIX and ASA in the context of firewall functionality, the remainder of this chapter uses the term PIX to refer to both PIX and ASA functionality and features for simplicities sake. In cases where there is something unique about the ASA, it will be called out individually.