Pre-purchase Question about PIX 515E

Discussion in 'Cisco' started by dave@cityexplorer.com, Jul 19, 2006.

  1. Guest

    Our company is currently looking for an VPN/Firewall device and I'm
    looking at PIX 515E.

    Our requirements are:

    The device acts as

    - Company firewall, with 1X internal network and 1X DMZ zone
    - Provide at least 5 cocurrent sessions of VPN Clients (MS XP based)
    - Provide 2 sites to sites VPN connection, our office and 2 remote
    sites, low traffic

    In our DMZ zone, we have 3+ web servers (10 out of 50 are SSL sites),
    DNS/FTP/Mail/SQL servers etc..

    We also had 2 public subnets which go through the same ISP routers.

    Would the 515E Restricted Bundle fits our needs? Well tight on budget
    also..

    Any comments /suggestions are welcomed.

    Dave
     
    , Jul 19, 2006
    #1
    1. Advertising

  2. Guest

    Yes. Don't buy one. Get the ASA 5500. A 5510 would be comparable.
     
    , Jul 19, 2006
    #2
    1. Advertising

  3. Cityexplorer Guest

    wrote:
    > Yes. Don't buy one. Get the ASA 5500. A 5510 would be comparable.



    too bad that it's out of our budget..

    Yes means it will fit our needs?

    Dave
     
    Cityexplorer, Jul 19, 2006
    #3
  4. In article <>,
    <> wrote:
    >Our company is currently looking for an VPN/Firewall device and I'm
    >looking at PIX 515E.


    >Our requirements are:


    >The device acts as


    >- Company firewall, with 1X internal network and 1X DMZ zone


    No problem for the 515E

    >- Provide at least 5 cocurrent sessions of VPN Clients (MS XP based)


    Would those sessions terminate at the PIX (i.e., PIX is the VPN
    server), or are those "pass-through" sessions, clients passing through
    the PIX but terminating on an inside server (incoming requests) or
    outside server (outgoing requests) ?

    The 515E can easily terminate 5 software clients, but if you start
    getting into pass-through then unless you can use some kind of
    encapsulation (e.g., NAT Traversal for IPSec) then you encounter
    difficulties. Both IPSec and PPTP use protocols that you cannot
    normally do Port Address Translation (PAT) on... because the protocols
    have no ports. If you are trying to do pass-through and you have
    at least 5 public IPs, you should be able to do the 5 concurrent
    sesssions (but you might need to do Policy NAT.)

    >- Provide 2 sites to sites VPN connection, our office and 2 remote
    >sites, low traffic


    No problem for the 515E.


    >In our DMZ zone, we have 3+ web servers (10 out of 50 are SSL sites),
    >DNS/FTP/Mail/SQL servers etc..


    I do not recall at the moment how Network Address Translation (NAT)
    interacts with SSL.


    >We also had 2 public subnets which go through the same ISP routers.


    No problem with the 515E.


    >Would the 515E Restricted Bundle fits our needs? Well tight on budget
    >also..


    If your inside switch supports tagged 802.1Q VLANs, then
    the needs you identified can all be handled by a PIX 506E running
    6.3(3) or later. You didn't talk much about performance requirements
    though.
     
    Walter Roberson, Jul 19, 2006
    #4
  5. Evolution Guest

    YES a 515E would be more than enough. I am using a 515E unrestricted
    for an enterprise grade company. It's performance is excellent. We
    currently have 10 site to site VPNS, 5 different networks, running
    through it. We use a VPN concentrator for VPN dial-up, but the PIX 515E
    can handle PPTP or Cisco VPN just fine.

    -RWS


    Walter Roberson wrote:
    > In article <>,
    > <> wrote:
    > >Our company is currently looking for an VPN/Firewall device and I'm
    > >looking at PIX 515E.

    >
    > >Our requirements are:

    >
    > >The device acts as

    >
    > >- Company firewall, with 1X internal network and 1X DMZ zone

    >
    > No problem for the 515E
    >
    > >- Provide at least 5 cocurrent sessions of VPN Clients (MS XP based)

    >
    > Would those sessions terminate at the PIX (i.e., PIX is the VPN
    > server), or are those "pass-through" sessions, clients passing through
    > the PIX but terminating on an inside server (incoming requests) or
    > outside server (outgoing requests) ?
    >
    > The 515E can easily terminate 5 software clients, but if you start
    > getting into pass-through then unless you can use some kind of
    > encapsulation (e.g., NAT Traversal for IPSec) then you encounter
    > difficulties. Both IPSec and PPTP use protocols that you cannot
    > normally do Port Address Translation (PAT) on... because the protocols
    > have no ports. If you are trying to do pass-through and you have
    > at least 5 public IPs, you should be able to do the 5 concurrent
    > sesssions (but you might need to do Policy NAT.)
    >
    > >- Provide 2 sites to sites VPN connection, our office and 2 remote
    > >sites, low traffic

    >
    > No problem for the 515E.
    >
    >
    > >In our DMZ zone, we have 3+ web servers (10 out of 50 are SSL sites),
    > >DNS/FTP/Mail/SQL servers etc..

    >
    > I do not recall at the moment how Network Address Translation (NAT)
    > interacts with SSL.
    >
    >
    > >We also had 2 public subnets which go through the same ISP routers.

    >
    > No problem with the 515E.
    >
    >
    > >Would the 515E Restricted Bundle fits our needs? Well tight on budget
    > >also..

    >
    > If your inside switch supports tagged 802.1Q VLANs, then
    > the needs you identified can all be handled by a PIX 506E running
    > 6.3(3) or later. You didn't talk much about performance requirements
    > though.
     
    Evolution, Jul 19, 2006
    #5
  6. Peter Simons Guest

    X-No-Archive: yes

    Cityexplorer wrote:
    > wrote:
    >
    >>Yes. Don't buy one. Get the ASA 5500. A 5510 would be comparable.

    >
    >
    >
    > too bad that it's out of our budget..
    >
    > Yes means it will fit our needs?
    >
    > Dave
    >

    Your sure
    http://www.s2s.ltd.uk/product/cisco/cisco_security_and_vpn/cisco_pix_500_series/cisco_sme_firewalls/
    PIX-515E-R-DMZ-BUN Cisco PIX 515E Chassis including Restricted software
    and 3 Fast Ethernet Ports. £ 1,420.00

    http://www.s2s.ltd.uk/product/cisco...a_5500_series/cisco_asa_5500_series_solution/

    ASA5510-BUN-K9 ASA 5510 Appliance w/ SW, 50 VPN Peers, 3 FE, 3DES/AES £
    £1310.00



    I know their uk prices but for similar products they are similar price.
    If their is no legacy reasons to go Pix I would go ASA

    (And recently have bought one to )
     
    Peter Simons, Jul 19, 2006
    #6
  7. Peter Simons Guest

    X-No-Archive: yes

    Walter Roberson wrote:

    >
    >
    > No problem for the 515E.
    >
    >
    >
    >>In our DMZ zone, we have 3+ web servers (10 out of 50 are SSL sites),
    >>DNS/FTP/Mail/SQL servers etc..

    >
    >
    > I do not recall at the moment how Network Address Translation (NAT)
    > interacts with SSL.
    >
    >
    >
    >>We also had 2 public subnets which go through the same ISP routers.

    >
    >
    > No problem with the 515E.
    >
    >
    >
    >>Would the 515E Restricted Bundle fits our needs? Well tight on budget
    >>also..

    >
    >
    > If your inside switch supports tagged 802.1Q VLANs, then
    > the needs you identified can all be handled by a PIX 506E running
    > 6.3(3) or later. You didn't talk much about performance requirements
    > though.
    >

    Some poeple prefer the DMZ to be on its own interface rather than a shared.

    Peter
     
    Peter Simons, Jul 19, 2006
    #7
  8. J Guest

    Cityexplorer wrote:
    > wrote:
    > > Yes. Don't buy one. Get the ASA 5500. A 5510 would be comparable.

    >
    >
    > too bad that it's out of our budget..
    >
    > Yes means it will fit our needs?


    Yes, it will more than fit your needs. It's an excellent box. It is
    the replacement for the Pix 500 series product line. It's also not
    going to be out of your budget. It lists for less than the ASA. The
    PIX-515E-UR-BUN has a MSRP of $6,995 as compared to the
    ASA5510-SEC-BUN-K9 which has a MSRP of $4,495. It's a good buy.

    J
     
    J, Jul 19, 2006
    #8
  9. In article <Zhxvg.41766$>,
    Peter Simons <> wrote:

    >Walter Roberson wrote:


    >> If your inside switch supports tagged 802.1Q VLANs, then
    >> the needs you identified can all be handled by a PIX 506E running
    >> 6.3(3) or later.


    >Some poeple prefer the DMZ to be on its own interface rather than a shared.


    The DMZ would be on its own interface -- it's own logical interface,
    with a distinct 802.1Q tag.

    With the 506E, the DMZ could not be on its own -physical- interface.

    At that point, you are into cost/risk analysis. Historically there
    have been ways to "vlan hop", to trick routers or switches to
    deliver packets sourced in one vlan over into a different vlan.
    There haven't been any recent issues about that (at least not on
    reputable equipment), so it becomes a matter of risk: what is the
    probability that someone will develop a -new- vlan hopping attack,
    and what is the probability that someone will be able to (and choose to)
    exploit that attack against your network; and is the probability
    of success over a given time interval worth the extra cost?


    One can hypothesize all kinds of attacks -- one can hypothesize,
    for example, that someone will find a quick way to break strong sequence
    numbers and be able to launch large-scale forging attacks. Do you
    see many reports of people cross-analyzing different products to find
    completely different strong sequence number protections so that they
    can layer the protections several deep? Perhaps in some very high
    security locations, but the risk is currently considered too low for
    people to be putting in that kind of time and money.
     
    Walter Roberson, Jul 20, 2006
    #9
  10. Cityexplorer Guest

    Thanks for your precious information. Price in Canada is about $3235CDN
    which is cheaper than the 515E.

    Before I look into the details doc, what is the major advantage of
    ASA5500 over 515E?


    Peter Simons wrote:
    > X-No-Archive: yes
    >
    > Cityexplorer wrote:
    > > wrote:
    > >
    > >>Yes. Don't buy one. Get the ASA 5500. A 5510 would be comparable.

    > >
    > >
    > >
    > > too bad that it's out of our budget..
    > >
    > > Yes means it will fit our needs?
    > >
    > > Dave
    > >

    > Your sure
    > http://www.s2s.ltd.uk/product/cisco/cisco_security_and_vpn/cisco_pix_500_series/cisco_sme_firewalls/
    > PIX-515E-R-DMZ-BUN Cisco PIX 515E Chassis including Restricted software
    > and 3 Fast Ethernet Ports. £ 1,420.00
    >
    > http://www.s2s.ltd.uk/product/cisco...a_5500_series/cisco_asa_5500_series_solution/
    >
    > ASA5510-BUN-K9 ASA 5510 Appliance w/ SW, 50 VPN Peers, 3 FE, 3DES/AES £
    > £1310.00
    >
    >
    >
    > I know their uk prices but for similar products they are similar price.
    > If their is no legacy reasons to go Pix I would go ASA
    >
    > (And recently have bought one to )
     
    Cityexplorer, Jul 20, 2006
    #10
  11. Cityexplorer Guest

    Cisco ASA 5500 Series Enterprise Editions
    Cisco ASA 5500 Series Firewall Edition for the Enterprise
    Cisco ASA 5500 Series Anti-X Edition for the Enterprise
    Cisco ASA 5500 Series IPS Edition for the Enterprise
    Cisco ASA 5500 Series VPN Edition for the Enterprise

    Hmm ...so many version.. I need firewall/VPN peer/site to site VPN...

    when I check their parts # ASA5510-BUN-K9 is available for both vpn and
    firewall edition..

    Are they actually the same ?

    Dave

    Peter Simons wrote:
    > X-No-Archive: yes
    >
    > Cityexplorer wrote:
    > > wrote:
    > >
    > >>Yes. Don't buy one. Get the ASA 5500. A 5510 would be comparable.

    > >
    > >
    > >
    > > too bad that it's out of our budget..
    > >
    > > Yes means it will fit our needs?
    > >
    > > Dave
    > >

    > Your sure
    > http://www.s2s.ltd.uk/product/cisco/cisco_security_and_vpn/cisco_pix_500_series/cisco_sme_firewalls/
    > PIX-515E-R-DMZ-BUN Cisco PIX 515E Chassis including Restricted software
    > and 3 Fast Ethernet Ports. £ 1,420.00
    >
    > http://www.s2s.ltd.uk/product/cisco...a_5500_series/cisco_asa_5500_series_solution/
    >
    > ASA5510-BUN-K9 ASA 5510 Appliance w/ SW, 50 VPN Peers, 3 FE, 3DES/AES £
    > £1310.00
    >
    >
    >
    > I know their uk prices but for similar products they are similar price.
    > If their is no legacy reasons to go Pix I would go ASA
    >
    > (And recently have bought one to )
     
    Cityexplorer, Jul 20, 2006
    #11
  12. Hi Dave,

    You may wish to investigate the Refurbished Cisco PIX Firewall Guide:

    http://www.bradreese.com/refurbished-cisco-pix-firewalls.htm

    As well as List Pricing and Availability of Refurbished Cisco PIX
    Firewalls:

    http://www.bradreese.com/cisco-inventory-search.htm

    Sincerely,

    Brad Reese
    BradReese.Com - Cisco Repair
    http://www.bradreese.com/cisco-big-iron-repair.htm
    1293 Hendersonville Road, Suite 17
    Asheville, North Carolina USA 28803
    USA & Canada: 877-549-2680
    International: 828-277-7272
    Fax: 775-254-3558
    AIM: R2MGrant
    BradReese.Com - Cisco Technical Forums
    http://www.bradreese.com/cisco-technical-newsgroups.htm
     
    www.BradReese.Com, Jul 20, 2006
    #12
  13. J Guest

    Cityexplorer wrote:
    > Thanks for your precious information. Price in Canada is about $3235CDN
    > which is cheaper than the 515E.
    >
    > Before I look into the details doc, what is the major advantage of
    > ASA5500 over 515E?


    The ASA product line is the replacement for the Pix 500 series product
    line. The replacement for the 506 and 501 was introduced a week or so
    ago (ASA 5505), as was the replacement for the 535 (ASA 5550). I would
    expect Cisco to announce the EoL/EoS for the remaining 500 series
    products in the next 6 months.

    The ASAs have more encrypted and non-encrypted throughput. The ASA has
    feature cards that can do virus filtering, spam filtering, phising and
    other content filtering, IPS, and all sorts of other useful stuff.

    Go through Cisco's website and compare the two products:

    http://www.cisco.com/en/US/products/ps6120/index.html
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/index.html

    The Pix 500 series isn't listed on the main page under Security
    anymore. You have to dig deeper to find any mention of them.

    You could buy a Pix but it will cost you more and give you less. It
    would be comparable to buying that really nice quad-PIII server you've
    wanted for years for $10k when you could buy a quad-dual-core Xeon for
    a couple grand less. Go with the ASA.

    J
     
    J, Jul 20, 2006
    #13
  14. RC Guest

    One thing to remember is the PIX won't route between VPN tunnels. That is,
    if remote-site-1 is connected to HQ and remote-site-2 is also connected to
    HQ, then the two remote sights can't reach each other. The same is true for
    VPN clients. They will access HQ fine but can't access the networks at
    either remote site or each other. The simple fix for the remote sites is to
    have a tunnel between them. As for the clients....well they don't usually
    need to reach the other clients and really should be connecting to the site
    they need to reach anyway.

    Does the ASA 5500 series have this same "Feature"?


    "www.BradReese.Com" <> wrote in message
    news:...
    > Hi Dave,
    >
    > You may wish to investigate the Refurbished Cisco PIX Firewall Guide:
    >
    > http://www.bradreese.com/refurbished-cisco-pix-firewalls.htm
    >
    > As well as List Pricing and Availability of Refurbished Cisco PIX
    > Firewalls:
    >
    > http://www.bradreese.com/cisco-inventory-search.htm
    >
    > Sincerely,
    >
    > Brad Reese
    > BradReese.Com - Cisco Repair
    > http://www.bradreese.com/cisco-big-iron-repair.htm
    > 1293 Hendersonville Road, Suite 17
    > Asheville, North Carolina USA 28803
    > USA & Canada: 877-549-2680
    > International: 828-277-7272
    > Fax: 775-254-3558
    > AIM: R2MGrant
    > BradReese.Com - Cisco Technical Forums
    > http://www.bradreese.com/cisco-technical-newsgroups.htm
    >




    --
    Posted via a free Usenet account from http://www.teranews.com
     
    RC, Jul 20, 2006
    #14
  15. In article <44bfad39$0$2203$>,
    RC <rcohen _ "at" _ cominc _ "dot" _ net remove all _ and spaces> wrote:
    >One thing to remember is the PIX won't route between VPN tunnels.


    It will in 7.x (if so configured), which is the version PIX 515E are
    sold with now.
     
    Walter Roberson, Jul 20, 2006
    #15
  16. Peter Simons Guest

    X-No-Archive: yes

    Walter Roberson wrote:

    >
    > At that point, you are into cost/risk analysis. Historically there
    > have been ways to "vlan hop", to trick routers or switches to
    > deliver packets sourced in one vlan over into a different vlan.
    > There haven't been any recent issues about that (at least not on
    > reputable equipment), so it becomes a matter of risk: what is the
    > probability that someone will develop a -new- vlan hopping attack,
    > and what is the probability that someone will be able to (and choose to)
    > exploit that attack against your network; and is the probability
    > of success over a given time interval worth the extra cost?


    Reasons Do not always have to be technicail they can be management Etc.

    The firm may have a policy that the DMZ is on a separate interface.
    Could just be the MD's bee in the bonnet. It could be its a small
    organisation with the person resonsible not confident at setting up
    Vlans securly.

    Peter
     
    Peter Simons, Jul 20, 2006
    #16
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Dustin
    Replies:
    3
    Views:
    645
    Matty M
    Nov 8, 2005
  2. Romeo
    Replies:
    1
    Views:
    483
    Walter Roberson
    Mar 20, 2006
  3. Will Dockery

    Re: OT: Graphic poetry begins (pre-hotspot, pre-poetry)

    Will Dockery, May 31, 2005, in forum: Digital Photography
    Replies:
    4
    Views:
    372
    Will Dockery
    Jun 1, 2005
  4. Will Dockery

    OT: Graphic poetry begins (pre-hotspot, pre-poetry)

    Will Dockery, Jun 1, 2005, in forum: Digital Photography
    Replies:
    1
    Views:
    419
    Citizen_Cain
    Jun 1, 2005
  5. Will Dockery

    OT: Graphic poetry begins (pre-hotspot, pre-poetry)

    Will Dockery, Jun 1, 2005, in forum: Digital Photography
    Replies:
    1
    Views:
    470
    Tom Bishop
    Jun 1, 2005
Loading...

Share This Page