We recently decided to purchase a firewall for our network (in light of a new network line we'll be running).I did some research and found the Cisco Pix 501 to be adequate for our network. I read a bunch of reviews and noticed decent remarks in regards to the 501 (mainly that it has an excellent GUI for configuring the system).
My question is this, has anyone here had experience with the 500 Cisco series? I'm just curious if anyone has had any bad experiences, or any input for that matter. Thanks.
January 14th, 2007, 08:43 AM
Cisco make good stuff, but are also one of the most expensive choices. I can't comment on the GUI interface; I'm mostly an IOS CLI person.
January 14th, 2007, 03:49 PM
I have quite a few of them deployed out in my organization. They are very solid and have never had hardware failure issues. I use CLI because I'm old school and because the GUI does leave out some of the feature sets. Cisco does have a doc on their site that details this. If you don't need the additional command sets, then the GUI is just fine.
I find that they come light on the flash RAM and system RAM. I always upgrade these before deployment because I tend to see them bog down heavily when I run Nessus scans across them. The connection table fills up almost instantly and the device crawls almost to a halt. The serial console connection barely responds. To be fair, these little guys aren't really meant for heavy loads. Pretty much a SOHO is the cap for them.
However, once you jack up the RAM and get the 6.3 IOS on there, life is good. They hold up pretty well, even during my weekly abusive scans. lol.
January 14th, 2007, 11:24 PM
Thanks for the reply. How did you go about updating the RAM and the IOS? Are these features that are included in any bundles? Also, what's the starting RAM for this thing so I can check the specs of the unit I ordered to make sure it needs a RAM upgrade. thanks again for the help.
January 15th, 2007, 11:37 AM
All of my upgrades and/or base model purchases are handled by meh kiddie interns. I will inquire first thing tomorrow. I want to say that they come with 128 Meg of system RAM and 8 Meg of flash RAM but let me check for sure.
January 15th, 2007, 10:36 PM
The 501 is good for the very small SOHO setup, but a lot of what you get with any PIX security appliance depends on the licence you get with it. The 501 for example can come with a 10-user, 50-user or an unlimited user licence; unlike the other 500 series security appliances which have connection licences.
It has a 133Mhz CPU. 8MB Flash and 16MB SDRAM and can support up to 7500 concurrent connections.
If you get it with release 6.3 or later of the security appliance software it will come with a 10/100BASE-T Outside interface but if you get one prior to this you will just have 10BASE-T - unless you are getting it second hand you will almost definitely have a later PIX O/S that 6.3. For the Inside interfaces it has a 4 port 10/100 switch.
It only has a 60 Mbps clear text throughput though...and is limited to 10 concurrent VPN peers (IKE/IPSEC SA's)
Whilst the 501 is good, for what you would pay for an unlimited user license you would be able to pick up a 506E, which is the next one up from the 501.
This is still geared to the SOHO/ROBO setup but is a lot more robust and has a connection license rather than a user license and has a 100 Mbps throughput, VLAN support, 25 VPN peers with a lot better VPN throughput than the 501.
It can have 25,000 concurrent connections and has a 300Mhz CPU, 32MB SDRAM and 8 MB Flash.
Once you have a IKE/IPSEC SA or two established (VPN) and have a fairly average amount of traffic for a SOHO setup going over a 501 you do start to notice the 60 Mbps limitation ...and then you start to get pissed off with it......I would really stress the fact of getting a 506E instead unless you are a very small SOHO setup that does not need any VPN connectivity or you are not going to use it as your sole firewall.
You might want to have a look at the Cisco ASA 5505, ASA being the PIX newer replacement line, and the 5505 being the equivalent of the 501...
January 16th, 2007, 08:39 PM
You've gotten a wealth of infos from others. However, to answer your question, we order them as I stated, which is simply done with a memory upgrade from the base 16 meg of RAM to 128 (because of the IOS features used). Flash RAM is not touched but you will need 16 meg of flash RAM to support version 6.3 IOS.
January 17th, 2007, 05:31 PM
Well I appreciate all the responses. I checked the unit we ordered and it comes with exactly what everyone is indicating: 8MB Flash / 16MB RAM.
More important is that I didn't hear any negative feedback about the unit itself which is crucial to me.
I'll look into upgrading the unit once it comes in and I get it setup. However, I'd like to initially run it without the upgrades to see if there's a need to upgrade. Being that I work for the state, I unfortunately can't put in for a purchase without good reason. Again, thanks for the input guys.