Cisco PIX
Cisco.gif
Cisco PIX (Private Internet EXchange) is a Firewall originally designed by Brantley Coile and John Mayes of Network Translation, Inc. Their company was acquired in 1995 by Cisco Systems, Inc, who now sells the PIX technology and continues its development. The PIX runs a custom-written proprietary Operating System originally called Finesse (Fast InterNEt Server Executive), but now the software is known simply as PIX OS. It is classified as a Network layer firewall with stateful inspection. By its design it allows internal connections out (outbound traffic), and only allows inbound traffic that is a response to a valid request or is allowed by an ACL (Access Control List) or a conduit. The PIX can be configured to perform many functions including NAT (network address translation) and PAT (port address translation).
The PIX is constructed using Intel-based/Intel-compatible motherboards and Intel network chipsets. The PIX boots off of a proprietary ISA flash memory daughtercard in the case of the PIX Classic, 10000, 510, 520, and 535, and it boots off of integrated flash memory in the case of the PIX 501, 506/506e, 515/515e, 525, and WS-SVC-FWM-1-K9. Due to the standard nature of the PIX's components, it is technically feasible to construct (but legally questionable to sell) a "frankenpix" from older computer parts that use the Intel chipset, such as motherboards and network cards. The only nonstandard part involved is the ISA flash card, from which the machine boots. Such cards may be had from people upgrading their PIX to a newer OS, as the newer PIX OS images won't fit on the 512kB or 2 MB flash cards found in the PIX Classic, PIX 10000, PIX 510, and PIX 520; except for the 501 and 506, which have 8MB of flash, one must have at least 16 MB of flash to run versions 5.2 on up.
The PIX technology is also sold in a blade, the WS-SVC-FWM-1-K9, for the Cisco Catalyst 6500 switch series and the 7600 Router series.
| Contents |
History and hardware/software specfications
| Model | PIX Classic | PIX 10000 | PIX 501 | PIX 506 | PIX 506e | PIX 510 | PIX 515 | PIX 515e | PIX 520 | PIX 525 | PIX 535 | WS-SVC-FWM-1-K9 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Introduced | 1994 | ? | 2001 | 2000 | 2002 | 1997 | 1999 | 2002 | 1999 | 2000 | 2000 | 2003 |
| Discontinued | 1998 | 1998 | n/a | 2002 | n/a | 1999 | 2002 | n/a | 2001 | n/a | n/a | n/a |
| CPU type | Intel Pentium | Intel Pentium | AMD SC52010 | Intel Pentium MMX10 | Intel Celeron (Mendocino)10 | Intel Pentium | Intel Pentium MMX10 | Intel Celeron (Mendocino SL3BA) | Intel Pentium II (Deschutes SL2U3) | Intel Pentium III (Coppermine) | Intel Pentium III (Coppermine) | ? |
| CPU speed | ? | ? | 133 MHz | 200 MHz | 300 MHz | 150 MHz | 200 MHz | 433 MHz | 233/266/300 MHz9 | 600 MHz | 1 GHz | ? |
| Default RAM | 8 MB | 16 MB | 16 MB10 | 32 MB | 32 MB | 16 MB | 64 (32) MB2 | 64 MB | 128 MB | 256 (128) MB2 | 1 GB (512) MB2 | 1 GB |
| Default flash | 512KB/2 MB7 | 2 MB | 8 MB10 | 8 MB10 | 8 MB10 | 2 MB | 16 MB10 | 16 Mb10 | 2 MB/16 MB5 | 16 MB10 | 16 MB | 128 MB |
| Boot flash device | Daughtercard | Daughtercard | Onboard | Onboard | Onboard | Daughtercard | Onboard | Onboard | Daughtercard | Onboard | Daughtercard | Onboard |
| Minimum PIX OS version | ? | ? | 6.1(1) | 4.4(x) | 5.1(x) | 4.4(x) | 5.1(x) | 5.1(x) | 4.4(x) | 5.2(x) | 5.3(x) | ? |
| Maximum PIX OS version | 6.0(0)12 | 6.0(0)12 | 6.3(x)11 | 6.3(x) | 6.3(x)11 | 6.0(0)12 | ? | 6.0(0)12 | 6.3(x)12 | ? | ? | ? |
| Max interfaces | ? | ? | 21 | 2 | 2 | ? | 6(3)2 | 6(3)2 | 8(6)2 | 8(6)2 | 10(8)2 | ? |
| Fixed internal interface | No | No | 10/100baseT | 10baseT | 10/100baseT | No | 10/100baseT | 10/100baseT | No | 10/100baseT | No | No |
| Fixed external interface | No | No | 10baseT | 10baseT | 10/100baseT | No | 10/100baseT | 10/100baseT | No | 10/100baseT | No | No |
| Expansion cards supported | 1 port FE, 1 port Token Ring, 1 port FDDI | 1 port FE, 1 port Token Ring, 1 port FDDI | No | No | No | 1 port FE, 1 port Token Ring, 1 port FDDI | 1 port FE, 4 port FE, 1 port 1000baseSX3 | 1 port FE, 4 port FE, 1 port 1000baseSX3 | 1 port FE, 4 port FE, 1 port 1000baseSX | 1 port FE, 4 port FE, 1 port 1000baseSX | 1 port FE, 4 port FE, 1 port 1000baseSX | Yes6 |
| VPN accelerator supported | Yes | Yes | No | No | No | Yes | Yes | Yes | Yes | Yes | Yes | No8 |
| Floppy drive | Yes | Yes | No | No | No | Yes | No | No | Yes | No | No | No |
| Failover supported | Yes | Yes | No | No | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Model | PIX Classic | PIX 10000 | PIX 501 | PIX 506 | PIX 506e | PIX 510 | PIX 515 | PIX 515e | PIX 520 | PIX 525 | PIX 535 | WS-SVC-FWM-1-K9 |
Performance specifications
| Model | PIX Classic | PIX 10000 | PIX 501 | PIX 506 | PIX 506e | PIX 510 | PIX 515 | PIX 515e | PIX 520 | PIX 525 | PIX 535 | WS-SVC-FWM-1-K9 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Cleartext throughput | ? | 90 Mbit/s | 60 Mbit/s | 20 Mbit/s | 100 Mbit/s | ? | 147 Mbit/s | 188 Mbit/s | 240 Mbit/s | 360 Mbit/s | 1.7 Gbit/s | 5.5 Gbit/s |
| 3DES throughput | ? | ? | 3 Mbit/s | 10 Mbit/s | 16 Mbit/s | ? | 10 Mbit/s | 140 (10) Mbit/s4 | 20 Mbit/s4 | 155 (70) Mbit/s4 | 440 (96) Mbit/s4 | n/a |
| AES-256 throughput | ? | ? | 4.5 Mbit/s (AES-128) | ? | 30 Mbit/s (AES-128) | ? | ? | 140 Mbit/s | ? | 170 Mbit/s | 440 Mbit/s | n/a |
| Max simultaneous connections | ? | 16,000 | 3,500 | 10,000 | 10,000 | ? | 128,000 (64,000)2 | 128,000 (64,000)2 | 256,000 | 280,000 | 500,000 | 999,900 total/100,000 per second |
| Max simultaneous hosts | ? | ? | 50 (10)2 | ? | ? | ? | ? | ? | ? | ? | ? | 256,000 |
| Max number of ACL's | ? | ? | ? | ? | ? | ? | ? | ? | ? | ? | ? | 80,000 |
| Max simultaneous VPN peers | ? | ? | 5 | 25 | 25 | ? | ? | ? | ? | ? | ? | n/a |
| Model | PIX Classic | PIX 10000 | PIX 501 | PIX 506 | PIX 506e | PIX 510 | PIX 515 | PIX 515e | PIX 520 | PIX 525 | PIX 535 | WS-SVC-FWM-1-K9 |
Footnotes
Note 1: The internal port is broken into an unmanaged 4 port switch. Note 2: Unrestricted package and Restricted package limits. Note 3: According to Cisco, the 1000baseSX card is not officially supported by the 515/515e, but it will work. Note 4: Speed with VPN accelerator card installed vs speed without VPN accelerator card installed. Note 5: Older 520's made before February 2000 and with a serial number less than 18025677 shipped with a 2 MB flash card. Newer 520's shipped with a 16 MB flash card. Note 6: The WS-SVC-FWM-1-K9 blade has no fixed ports or internal expansion; it makes use of either VLAN interfaces (being used by physical interfaces on a remote switch) or the physical interfaces on the switch/router it is installed in. Note 7: PIX Classic firewalls with a serial number of 06002015 or lower came with 512k flash. Newer models came with 2 MB flash. Note 8: The WS-SVC-FWM-1-K9 blade only supports IPSec VPN for management. It doesn't have the ability to terminate a VPN connection for remote users. Note 9: The Asus-manufactured ATX motherboard in the 520 supports any Slot1 processor from the Celeron Covington, Celeron Mendocino, Pentium II Klamath, Pentium II Deschutes, and the Pentium III Katmai families. Note 10: Cannot be removed or upgraded. Note 11: In early 2005, Cisco indicated that PIX OS 7.x would only support the 515, 515e, 525, and 535, while a "stripped-down" version would eventually be released for the 501 and 506e. Note 12: Running the highest possible PIX OS version requires the use of the PIX-FLASH-16MB flash card, as the 5.2 through 6.3 train won't fit on a 512KB or 2MB flash card.
List of PCI and ISA expansion cards for the PIX
- PIX-FLASH-16MB= 16MB ISA flash card for the PIX 510, 520, and 535.
- PIX-1GE-66 - 64 bit/66 MHz 1000baseSX card for PIX 53x. Based on the Intel Pro/1000-F fiber network card with the 82543GC chipset.
- PIX-1GE - 32 bit/33 MHz 1000baseSX card for PIX 52x. Based on the Intel Pro/1000 fiber network card with the 82542 chipset.
- PIX-4FE-66 - 64 bit/66 MHz Four port 10/100 Fast Ethernet card. Based on the Intel 82557, 82558 and 82559 chipsets.
- PIX-4FE - 32 bit/33 MHz Four port 10/100 Fast Ethernet card. Based on the Intel 82557, 82558 and 82559 chipsets.
- PIX-1FE - 32 bit/33 MHz One port 10/100 Fast Ethernet card. Based on the Intel Pro/100+ family with the 82557, 82558 and 82559 chipsets.
- PIX-VPN-ACCEL - 32 bit/33 MHz IPSec Hardware VPN Accelerator Card.
- PIX-VAC-PLUS - 64 bit/66 MHz IPSec Hardware VPN Accelerator Card. Supported only on 515e, 525, and 535 running PIX OS 6.3(1) or higher.
- PIX-PL2 - 32 bit/33 MHz PIX Private Line proprietary DES encryption card (discontinued and unsupported from PIX OS 6.0(1) on).
- PIX-1TR - 32 bit/33 MHz 4/16 Mbit/s Token Ring card (discontinued and unsupported from PIX OS 6.0(1) on).
- PIX-FDDI - 32 bit/33 MHz FDDI card (discontinued and unsupported from PIX OS 6.0(1) on).
See also
- Cisco's website for the PIX
- Here is a short history of the PiX [1]
- Version 7.0 of Cisco's hardware install instructions for various PIX models
- Cisco's website for the WS-SVC-FWM-1-K9
- Cisco site detailing what PIX features are/aren't supported by the WS-SVC-FWM-1-K9