cisco pix firewall and asa models
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (33.41 KB, 2 trang )
Cisco PIX Firewall and ASA Models
To implement a Cisco PIX or ASA in a given network, you need only purchase the PIX
or ASA hardware and software from Cisco. Cisco PIXs come in all sizesfrom small
office/home office (SOHO) models to large enterprise or service provider models. The
trick is to know what size PIX or ASA is appropriate for your network. In general, you
can classify the PIX or ASA products into three solutions:
• SOHO solution
• Medium- to large-office solution
• Enterprise office and service provider solution
SOHO Solution
The PIX 501 is the model designed for the SOHO market and comes with a built-in four-
port switch. The PIX 501 is primarily intended for offices of fewer than 10 internal users
(although it can be licensed for 10, 50, or unlimited users) and for use as the termination
point for a single VPN connection, typically to a central office or a small number of
remote clients. The next model up is the PIX 506E, which is designed for the small
office/remote office market and comes with two Fast Ethernet ports. The PIX 506E is
primarily intended for offices of fewer than 100 internal users and for use as the
termination point of no more than 25 VPN connections (either remote users or remote
office connections). Both the PIX 501 and 506E can only run PIX software in the 6.x
code branch (latest version is 6.3(5) at the time of this writing).
Medium- to Large-Office Solution
The first model designed for medium-sized to large offices is the PIX 515E. This model
comes in a 1U form factor with two built-in Fast Ethernet ports and two PCI expansion
slots that can accommodate additional Fast Ethernet ports or an optional VPN
acceleration card (VAC) (this is standard on unrestricted, failover [active/passive] and
failover [active/active] models). The PIX 515E can be used simultaneously to terminate
up to 2000 VPN tunnels (either terminating connections from remote locations or remote
users). The PIX 515E can also be configured to support active/active and active/passive
failover and redundancy for high-availability requirements. It is difficult to quantify users
that a PIX 515E can support. Instead, the performance of the PIX 515E (and larger
firewalls) is quantified in throughput and concurrent connections. The PIX 515E supports
a cleartext throughput of 190 Mbps and 130,000 concurrent connections.
The medium- to large-office market is also the market segment that the Cisco ASA is
initially targeted at. Both the ASA 5510 and the ASA 5510 Security Plus are effective
solutions. The ASA 5510 Security Plus product is essentially a software upgrade that
permits more users, network interfaces, and VLANs, and that introduces high availability
to the ASA 5510. The ASA 5510 supports three Fast Ethernet ports (five with the
Security Plus). The ASA 5510 supports a cleartext throughput of 300 Mbps and 50,000
concurrent connections; the ASA 5510 Security Plus increased the concurrent
connections to 130,000 (throughput remains the same).
Enterprise Office and Service Provider Solution
The next two models of the PIX firewall are designed specifically for large enterprises
and service providers: the PIX 525 and 535. The 525 is produced in a 2U form factor and
can accommodate up to ten Fast Ethernet or two Fast Ethernet and three Gigabit Ethernet
interfaces. The PIX 535 also comes in a 2U form factor and can accommodate 14 Fast
Ethernet or 9 Gigabit Ethernet interfaces. Both models provide all manner of high-
availability functionality such as zero-downtime upgrade and VPN stateful failover as
well as all the features of previous PIX models. The PIX 525 supports a cleartext
throughput of 330 Mbps and 280,000 concurrent connections. The PIX 535 supports a
cleartext throughput of 1.7 Gbps and 500,000 concurrent connections.
For the ASA, the ASA 5520 and 5540 were designed with the enterprise and service
provider market in mind. Both build upon the basic features of the ASA 5510 and support
4 10/100/1000 and 1 10/100 interfaces. The ASA 5520 and 5540 also support a greater
number of VLANs and the use of security contexts (if licensed). The ASA 5520 supports
a cleartext throughput of 450 Mbps and 280,000 concurrent connections; the ASA 5540
supports a cleartext throughput of 650 Mbps and 400,000 concurrent connections.
N
ote
Because of the fundamental similarities between the PIX and ASA in the context of
firewall functionality, the remainder of this chapter uses the term PIX to refer to both PIX
and ASA functionality and features for simplicities sake. In cases where there is
something unique about the ASA, it will be called out individually.
