Cisco Pix
History
History
PIX was originally conceived in early 1994 by John Mayes of Redwood City, California and designed and coded by Brantley Coile of Athens, Georgia. The PIX name is derived from its creators' aim of creating the functional equivalent of an IP PBX to solve the then-emerging registered IP address shortage. At a time when NAT was just being investigated as a viable approach, they wanted to conceal a block or blocks of IP addresses behind a single or multiple registered IP addresses, much like PBX's do for internal phone extensions. When they began, RFC 1597 and RFC 1631 were being discussed, but the now-familiar RFC 1918 had not yet been submitted.
The design, and testing were carried out in 1994 by John Mayes, Brantley Coile and Johnson Wu of Network Translation, Inc., with Brantley Coile being the sole software developer. Beta testing of PIX serial number 000000 was completed and first customer acceptance was on December 21, 1994 at KLA Instruments in San Jose, California. The PIX quickly became one of the leading enterprise firewall products and was awarded the Data Communications Magazine "Hot Product of the Year" award in January of 1995.
After Cisco acquired Network Translation in November 1995, Mayes and Coile hired four long time associates: Jim Jordan, Tom Bohannon, and Richard Howes and Pete Tenereillo (both who worked for NTI prior to the acquisition). Together they continued development on Finesse OS and the original version of the Cisco PIX Firewall, now known as the PIX "Classic". During this time, the PIX shared most of its code with another Cisco product, the LocalDirector.
End-of-Life
On January 28, 2008, Cisco announced the end-of-sale and end-of-life dates for all Cisco PIX Security Appliances, software, accessories, and licenses. The last day for purchasing Cisco PIX Security Appliance platforms and bundles was July 28, 2008. The last day to purchase accessories and licenses was January 27, 2009. Cisco will continue to support Cisco PIX Security Appliance customers through July 27, 2013.
Adaptive Security Appliance (ASA)
Main article: Cisco ASA
In May 2005, Cisco introduced the Adaptive Security Appliance (ASA) which combines functionality from the PIX, VPN 3000 series and IPS product lines. The ASA series of devices run PIX code 7.0 and later. Through PIX OS release 7.x the PIX and the ASA use the same software images. Beginning with PIX OS version 8.x, the operating system code diverges, with the ASA using a Linux kernel and PIX continuing to use the traditional Finesse/PIX OS combination.
Description of operation
The PIX runs a custom-written proprietary operating system originally called Finesse (Fast InterNEt Server Executive), but now the software is known simply as PIX OS. It is classified as a network layer firewall with stateful inspection, although technically the PIX would more precisely be called a Layer 4, or Transport Layer Firewall, as its access is not restricted to Network Layer routing, but socket based connections (a port and an IP Address - Port communications occur at Layer 4). By default it allows internal connections out (outbound traffic), and only allows inbound traffic that is a response to a valid request or is allowed by an Access Control List (ACL) or a conduit. The PIX can be configured to perform many functions including network address translation (NAT) and port address translation (PAT), as well as being a virtual private network (VPN) endpoint appliance.
The PIX was the first commercially available firewall product to introduce protocol specific filtering with the introduction of the "fixup" command. The PIX "fixup" capability allows the Firewall to apply additional security policies to connections identified as using specific protocols. Two protocols for which specific fixup behaviors were developed are DNS and SMTP. The DNS fixup originally implemented a very simple but effective security policy; it allowed just one DNS response from a DNS server on the Internet (known as outside interface) for each DNS request from a client on the protected (known as inside) interface. "Fixup" has been superseded by "Inspect" on later versions of PIX OS.
The Cisco PIX was also one of the first commercially available security appliances to incorporate IPSec VPN gateway functionality.
The PIX can be managed by a command line interface (CLI) or a graphical user interface (GUI). The CLI is accessible from the serial console, telnet and SSH. GUI administration was introduced with version 4.1, and it has been through several incarnations: PIX Firewall Manager (PFM) for PIX OS versions 4.x and 5.x, which runs locally on a Windows NT client; PIX Device Manager (PDM) for PIX OS version 6.x, which runs over https and requires Java; and Adaptive Security Device Manager (ASDM) for PIX OS version 7 and greater, which can run locally on a client or in reduced-functionality mode over HTTPS. Examples of emulators include PEMU and Dynagen, and with NetworkSims.com ProfSIMs (Networksims) for a simulator .
As the PIX is an acquired product, the CLI was originally not aligned with the Cisco IOS syntax. Starting with version 7.0, the configuration is much more IOS-like. As the PIX only supports IP traffic (as opposed to IPX, DECNet, etc.), in most configuration commands 'ip' is omitted. The configuration is upwards compatible, but not downwards. When a 5.x or 6.x configuration is loaded on a 7.x platform, the configuration is automatically converted to 7.x formatting, as long as the configuration was using ACLs, versus conduits and "outbounds". This allows for an easy migration from PIX to ASA. PIX OS v7.0 is only supported on models 515, 515(E), 525 and 535. Although the 501 and 506E are relatively recent models, the flash memory size of only 8 MB prevents support of version 7.x, although rumors suggest that 7.0 can be installed on a 506E (see external links). The 8MB flash size only allows for installation of the PIX OS software, not the ASDM software (GUI). For the PIX 515(E), a doubling of the memory size is required (32->64 MB for restricted and 64->128MB for Unrestricted/Failover licenses). A 515(E) UR/FO can run 7.0 with 64 MB memory installed, but that is not recommended as larger configuration and session/xlate tables can exceed the available memory.
Description of hardware
PIX 515 with top cover removed.
The original NTI PIX and the PIX Classic had cases that were sourced from OEM provider Appro. All flash cards and the early encryption acceleration cards, the PIX-PL and PIX-PL2, were sourced from Productivity Enhancement Products (PEP). Later models had cases from Cisco OEM manufacturers.
The PIX was constructed using Intel-based/Intel-compatible motherboards; the PIX 501 used an AMD 5x86 processor, and all other standalone models used Intel 80486 through Pentium III processors. Nearly all PIXes used Ethernet NIC's with Intel 82557, 82558, and 82559 network chipsets, but some older models are occasionally found with 3COM 3c590 and 3c595 Ethernet cards, Olicom-based Token-Ring cards, and Interphase-based FDDI cards.
Some Intel-based Ethernet cards for the PIX are identified at boot with the designation "mcwa". This designation denotes a multicast receive bug in the card's firmware that the designers addressed with a feature they called Multi Cast Work Around.
Both the PIX 510 and 520 share basic components, such as motherboard, chassis, NIC's, flash cards, etc, with the Cisco LocalDirector 416/420/430, the Cisco Service Selector Gateway 6510 (SSG-6510), and the Cisco Cache Engine CE2050, though the latter two run VxWorks, rather than a Finesse derivative.
The PIX boots off a proprietary ISA flash memory daughtercard in the case of the NTI PIX, PIX Classic, 10000, 510, 520, and 535, and it boots off integrated flash memory in the case of the PIX 501, 506/506e, 515/515e, 525, and WS-SVC-FWM-1-K9.
The PIX technology implemented in the FWSM, for the Catalyst 6500 and the 7600 Router, has a part code of WS-SVC-FWM-1-K9.
Specifications of past and present models
Current models
Model
501
506e
515e
525
535
FWSM
Introduced
2001
2002
2002
2000
2000
2003
Discontinued
2008
2008
2008
2008
2008
CPU type
AMD
SC520 5x86
Intel
Celeron
(Mendocino SL36A)
Intel
Celeron
(Mendocino SL3BA)
Intel
Pentium III
(Coppermine)
Intel
Pentium III
(Coppermine)
One Intel Pentium III and three IBM 4GS3 PowerNP network processors
CPU speed
133 MHz
300 MHz
433 MHz
600 MHz
1 GHz
1 GHz
Chipset
AMD
SC520
Intel
440BX
Seattle
Intel
440BX
Seattle
Intel
440BX
Seattle
Broadcom
Serverworks
RCC
?
Default RAM
16 MB
32 MB
64 (128) MB
128 (256) MB
512 (1024) MB
1 GB
Boot flash device
Onboard
Onboard
Onboard
Onboard
ISA card &
Onboard
Onboard
Default flash
8 MB
8 MB
16 MB
16 MB
16 MB
128 MB
Boot flash chips
1 x 28F640
1 x 28F640
1 x E28F128J3
1 x EF28F128J3
2 x i28F640J5
ATA CompactFlash
PIX BIOS flash chips
28F640
AM29F400B
AM29F400B
AM29F400B/
E28F400B5T
DA28F320J5
Minimum PIX OS version
6.1(1)
5.1(x)
5.1(x)
5.2(x)
5.3(x)
FWSM 2.3(x)
Maximum PIX OS version officially supported
Latest 6.3(x)
Latest 6.3(x)
8.x
8.x
8.x
FWSM 4.0(x)
Max interfaces
2
2
3(6)
6(10)
8(14)
Fixed internal interface
10/100baseT
10/100baseT
10/100baseT
10/100baseT
No
No
Fixed external interface
10/100baseT
10/100baseT
10/100baseT
10/100baseT
No
No
PCI slots
0
0
2
3
9
1
Expansion cards supported
No
No
1 port FE,
4 port FE,
1 port 1000baseSX
1 port FE,
4 port FE,
1 port 1000baseSX
1 port FE,
4 port FE,
1 port 1000baseSX
Yes
Supports SSL VPN
No
No
No
No
No
No
VPN accelerator supported
No
No
Yes
Yes
Yes
No
Floppy drive
No
No
No
No
No
No
Failover supported
No
No
Yes
Yes
Yes
Yes
Model
501
506e
515e
525
535
FWSM
Discontinued models
Model
NTI PIX
Classic
47-3158-01
10000
506
510
515
520
Introduced
1994
1995
1996
2000
1997
1999
1999
Discontinued
1995
1998
1998
2002
1999
2002
2001
CPU type
Intel 486DX2/
Intel Pentium
Intel Pentium
Intel
Pentium Pro
Intel
Pentium MMX
Intel
Pentium
Intel
Pentium MMX
Intel
Pentium II
(Deschutes)
CPU speed
66 / 90 MHz
100~133 MHz
200 MHz
200 MHz
166 MHz
200 MHz
233~350 MHz
Chipset
Intel
430FX/TX
Intel
440FX
Natoma
Intel
430TX
Intel
430TX
Intel
430TX
440LX/BX
Balboa/
Seattle
Default RAM
4 MB
8 MB
16 MB
32 MB
16 MB
32 (64) MB
128 MB
Boot flash device
ISA card
ISA card
ISA card
Onboard
ISA card
Onboard
ISA card
Default flash
512KB
512KB /
2 MB
2 MB
8 MB
2 MB
16 MB
2 MB / 16 MB
Boot flash chips
2 x i28f020
2 x i28f020 /
4 x 29C040
4 x 29C040
1 x i28F640J5
4 x 29C040
2 x i28F640J5
4 x 29C040 /
2 x i28F640J5
PIX BIOS flash chips
AM28F256
AM28F256
AM28F256
AT29C257
AM28F256
AT29C257
AM28F256/
AT29C257
Minimum PIX OS version
1.x
2.x
4.4(x)
4.4(x)
4.4(x)
5.1(x)
4.4(x)
Maximum PIX OS version
4.2(2)
4.2(2)
5.1(x)
5.1(x)
Latest 6.3(x)
5.3(4)
Latest 8.x
Latest 6.3(x)
Max interfaces
2
6(3)
8(6)
Fixed internal interface
No
No
No
10baseT
No
10/100baseT
No
Fixed external interface
No
No
No
10baseT
No
10/100baseT
No
PCI slots
?
4
4
0
4+
2
4+
Expansion cards supported
?
1 port FE,
1 port Token Ring,
1 port FDDI
1 port FE,
1 port Token Ring,
1 port FDDI
No
1 port FE,
1 port Token Ring,
1 port FDDI
1 port FE,
4 port FE,
1 port 1000baseSX
1 port FE,
4 port FE,
1 port 1000baseSX
VPN accelerator supported
Yes
Yes
Yes
No
Yes
Yes
Yes
Floppy drive
Yes
Yes
Yes
No
Yes
No
Yes
Failover supported
No
No/Yes
Yes
No
Yes
Yes
Yes
Model
NTI PIX
Classic
10000
506
510
515
520
---Information on models supported as of 6/27/2005 verified from Cisco's PIX Brochure (page 2) and the specific product pages
Performance specifications
Model
PIX Classic
PIX 10000
PIX 501
PIX 506
PIX 506e
PIX 510
PIX 515
PIX 515e
PIX 520
PIX 525
PIX 535
ASA 5520
FWSM
Cleartext throughput, Mbit/s
90
60
20
100
147
190
240
330
1655
450
5500
56-bit DES throughput, Mbit/s
6
20
n/a
n/a
n/a
n/a
?
n/a
168-bit Triple DES throughput, Mbit/s
3
6
16
10 / 63 (135)
20 / 63 (135)
20
30 / 72 (145)
50 / 100 (425)
225
n/a
AES-128 throughput, Mbit/s
4.5
30
45 / 130
65 / 135
110 / 495
225
n/a
AES-256 throughput, Mbit/s
3.4
25
35 / 130
50 / 135
90 / 425
225
n/a
Max simultaneous connections
16,000
7,500
10,000
25,000
64,000 / 128,000
48,000 / 130,000
256,000
140,000 / 280,000
250,000 / 500,000
280,000
999,900 total / 100,000 per second
Max simultaneous hosts (users)
10 / 50 / Unlimited
Unlimited
Unlimited
128 / 1000 / unlimited
Unlimited
Unlimited
?
256,000
Max number of ACL entries
?
80,000
Max simultaneous VPN peers
10
25
25
0 / 2000
0 / 2000
0 / 2000
750 IPSec, 750 SSL
n/a
Model
PIX Classic
PIX 10000
PIX 501
PIX 506
PIX 506e
PIX 510
PIX 515
PIX 515e
PIX 520
PIX 525
PIX 535
ASA 5520
FWSM
---Information on models supported as of 6/27/2005 verified from Cisco's PIX Brochure (page 2) and the specific product pages
List of part numbers for PCI, ISA, and EISA expansion cards
PIX 512KB flash memory card
PIX-PL2 encryption card
Flash cards
??? - 512 kB ISA flash card used in the original NTI PIX, PIX Classic and 10000. It is manufactured by Productivity Enhancement Products. Aside from progressive manufacturing refinements, the 512KB and 2MB flash cards were identical aside from the chips that populated it. Both booted from a 28F256 chip, but the 512KB card only populated two of the flash sockets with 28F020 chips, while the 2MB card populated all four sockets with 29C040 chips
??? - 2 MB ISA flash card used in the PIX Classic, 10000, 510, and 520, as well as the SSG-6510 and many LocalDirectors. It is manufactured by Productivity Enhancement Products.
PIX-FLASH-16MB - 16 MB ISA flash card for the PIX 510, 520, and 535. It is manufactured by Productivity Enhancement Products.
Ethernet cards
PIX-1GE-66 - 64 bit/66 MHz PCI 1000baseSX card for PIX 53x. Based on the Intel Pro/1000-F fiber network card using the Intel TL82543GC (Intel code name "Livengood") ASIC (PWLA8490sx). The 1000baseT variant of this card, the Intel Pro/1000-t Server adapter (PWLA8490t), is not supported by PIX OS, due to Carrier Extension interoperability problems with early 1000baseT switch products .
PIX-1GE - 32 bit/33 MHz PCI 1000baseSX card for PIX 52x. Based on the Intel PWLA8490 Pro/1000 fiber network card with the 82542 (Intel code name "Wiseman") chipset. The ASIC used on this card is the LSI L2A1157/695314-003. . There is no 1000baseT variant of this card. In the release notes for PIX OS 6.02, Cisco advises against installing this card in the 525 and 535 , referencing caveat CSCdu00850, although this caveat actually only lists the PIX 535, which is the only model with a 66 MHz PCI bus.
PIX-4FE-66 - 64 bit/66 MHz PCI Four port 10/100 Fast Ethernet card. Based on the Intel 82559 chipset. Uses a DEC 21154BE bridge chip.
PIX-4FE - 32 bit/33 MHz PCI Four port 10/100 Fast Ethernet card. Based on the Intel 82558b chipset. Uses an Intel 21154AC or DEC 21154AB bridge chip.
PIX-1FE - 32 bit/33 MHz PCI Single-port 10/100 Fast Ethernet card. Based on the Intel Pro/100+ family with the 82557, 82558 and 82559 chipsets.
??? - 3COM 3c590 and 3c595 PCI NICs occasionally found in NTI PIX, PIX Classic, 10000, 510, 515, and 520. Mentioned in version 4.4.1 install guide and supported through at least PIX OS 5.1.5 . Since these are off-the-shelf PC components predating the creation of the PIX, there may not be PIX-specific part numbers for these at all.
VPN/Encryption acceleration cards
PIX-VAC-PLUS - 64 bit/66 MHz PCI IPSec Hardware VPN Accelerator Card, identified by PIX OS as a PIX-VAC+. Supported by the 515, 515e, 520, 525, and 535 running PIX OS 6.3(1) or higher. Accelerates DES, 3DES, and AES. Part number 74-3176-01. Uses the Broadcom BCM5823KPB-5 chip.
PIX-VPN-ACCEL - 32 bit/33 MHz PCI IPSec Hardware VPN Accelerator Card, identified by PIX OS as a PIX-VAC. Accelerates DES and 3DES. This is a repackaged IRE SafeNet CryptPCI 413-10004 rev 2.3 card. It uses the Analog Devices ADSP-2141L chip. Its part number is 74-1908-01.
PIX-PL2 - 32 bit/33 MHz PCI proprietary DES encryption card (discontinued and unsupported from PIX OS 6.0.1 on). It is manufactured by Productivity Enhancement Products.
PIX-PL - 32 bit/8 MHz EISA encryption card found in some early PIXes. It is manufactured by Productivity Enhancement Products.
FDDI and Token Ring cards
PIX-1TR - 32 bit/33 MHz 4/16 Mbit/s PCI Token Ring card based on the Olicom OC-3137/PE-67597 (discontinued and unsupported from PIX OS 6.0.1 on).
PIX-FDDI - 32 bit/33 MHz 100 Mbit/s SC duplex PCI FDDI card based on the Interphase 5511 FDDI card (PB05511-002). It was discontinued and unsupported from PIX OS 6.0.1 on.
Footnotes
^Only the first few NTI PIXes came with the 486 processor; the rest came with a Pentium processor.
^ The "inside" port is connected to an internal, unmanaged, auto-polarity 4 port switch.
^ Restricted package / Unrestricted package limits (referred to by Cisco as R and UR/FO/FO-AA, respective
by: gaga
Cisco 650-180 Cisco Ccnp Iscw Certification - The Key Difference Between Ips And Ids Testinside Cisco 642-357 Dumps Cisco Certification for Employees is a Plus for Your Company Cisco 650-175 questions and answers 1000base Cwdm Sfp Cisco Compatible Transceiver Where to Get Cisco Certification Cisco 642-813 materials Current trend for Cisco CCSP certification Details about Cisco CCNP certification Cisco accuired Core Optics Looking for reliable routers? Cisco has what you need! Best It Cisco Support In Delaware