Cisco PIX Firewall and ASA Models

Cisco PIX Firewall and ASA Models To implement a Cisco PIX or ASA in a given network, you need only purchase the PIX or ASA hardware and software from Cisco
Nội dung trích xuất từ tài liệu:
Cisco PIX Firewall and ASA ModelsCisco PIX Firewall and ASA ModelsTo implement a Cisco PIX or ASA in a given network, you need only purchase the PIXor ASA hardware and software from Cisco. Cisco PIXs come in all sizesfrom smalloffice/home office (SOHO) models to large enterprise or service provider models. Thetrick is to know what size PIX or ASA is appropriate for your network. In general, youcan classify the PIX or ASA products into three solutions: • SOHO solution • Medium- to large-office solution • Enterprise office and service provider solutionSOHO SolutionThe PIX 501 is the model designed for the SOHO market and comes with a built-in four-port switch. The PIX 501 is primarily intended for offices of fewer than 10 internal users(although it can be licensed for 10, 50, or unlimited users) and for use as the terminationpoint for a single VPN connection, typically to a central office or a small number ofremote clients. The next model up is the PIX 506E, which is designed for the smalloffice/remote office market and comes with two Fast Ethernet ports. The PIX 506E isprimarily intended for offices of fewer than 100 internal users and for use as thetermination point of no more than 25 VPN connections (either remote users or remoteoffice connections). Both the PIX 501 and 506E can only run PIX software in the 6.xcode branch (latest version is 6.3(5) at the time of this writing).Medium- to Large-Office SolutionThe first model designed for medium-sized to large offices is the PIX 515E. This modelcomes in a 1U form factor with two built-in Fast Ethernet ports and two PCI expansionslots that can accommodate additional Fast Ethernet ports or an optional VPNacceleration card (VAC) (this is standard on unrestricted, failover [active/passive] andfailover [active/active] models). The PIX 515E can be used simultaneously to terminateup to 2000 VPN tunnels (either terminating connections from remote locations or remoteusers). The PIX 515E can also be configured to support active/active and active/passivefailover and redundancy for high-availability requirements. It is difficult to quantify usersthat a PIX 515E can support. Instead, the performance of the PIX 515E (and largerfirewalls) is quantified in throughput and concurrent connections. The PIX 515E supportsa cleartext throughput of 190 Mbps and 130,000 concurrent connections.The medium- to large-office market is also the market segment that the Cisco ASA isinitially targeted at. Both the ASA 5510 and the ASA 5510 Security Plus are effectivesolutions. The ASA 5510 Security Plus product is essentially a software upgrade thatpermits more users, network interfaces, and VLANs, and that introduces high availabilityto the ASA 5510. The ASA 5510 supports three Fast Ethernet ports (five with theSecurity Plus). The ASA 5510 supports a cleartext throughput of 300 Mbps and 50,000concurrent connections; the ASA 5510 Security Plus increased the concurrentconnections to 130,000 (throughput remains the same).Enterprise Office and Service Provider SolutionThe next two models of the PIX firewall are designed specifically for large enterprisesand service providers: the PIX 525 and 535. The 525 is produced in a 2U form factor andcan accommodate up to ten Fast Ethernet or two Fast Ethernet and three Gigabit Ethernetinterfaces. The PIX 535 also comes in a 2U form factor and can accommodate 14 FastEthernet or 9 Gigabit Ethernet interfaces. Both models provide all manner of high-availability functionality such as zero-downtime upgrade and VPN stateful failover aswell as all the features of previous PIX models. The PIX 525 supports a cleartextthroughput of 330 Mbps and 280,000 concurrent connections. The PIX 535 supports acleartext throughput of 1.7 Gbps and 500,000 concurrent connections.For the ASA, the ASA 5520 and 5540 were designed with the enterprise and serviceprovider market in mind. Both build upon the basic features of the ASA 5510 and support4 10/100/1000 and 1 10/100 interfaces. The ASA 5520 and 5540 also support a greaternumber of VLANs and the use of security contexts (if licensed). The ASA 5520 supportsa cleartext throughput of 450 Mbps and 280,000 concurrent connections; the ASA 5540supports a cleartext throughput of 650 Mbps and 400,000 concurrent connections.NoteBecause of the fundamental similarities between the PIX and ASA in the context offirewall functionality, the remainder of this chapter uses the term PIX to refer to both PIXand ASA functionality and features for simplicities sake. In cases where there issomething unique about the ASA, it will be called out individually.