Troubleshooting Cisco IOS and PIX Firewall-Based IPSec Implementations (Cisco - 2003).pdf
Cisco PIX Firewall Family
-
Upload
eleanore-greer -
Category
Documents
-
view
250 -
download
1
description
Transcript of Cisco PIX Firewall Family
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-1
Lesson 4
Cisco PIX Firewall Family
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-2
Objectives
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-3
Objectives
Upon completion of this lesson, you will be able to perform the following tasks:• Identify the PIX Firewall models.• Describe the key features of the PIX 501, 506E, 515E, 525,
and 535 Firewall.• Identify the PIX 501, 506E, 515E, 525, and 535 Firewall
controls, connectors, and LEDs.• Identify the PIX 501, 506E, 515E, 525, and 535 Firewall
interfaces.• Identify the PIX Firewall expansion cards.• Explain the PIX Firewall licensing options.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-4
Objectives (Cont.)
• Describe the key features of the Firewall Services Module for the Cisco Catalyst 6500 Series Switch and the Cisco 7600 Series Internet Router.• Identify the switch and router slots in which the
Firewall Services Module can be installed.• Identify and describe LEDs that display the status of
the Firewall Services Module.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-5
PIX Firewall Models
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-6
SMB
Pric
e
Functionality
Gigabit Ethernet
PIX Firewall Family
EnterpriseROBO
PIX Firewall 515E
PIX Firewall 525
PIX Firewall 535
SOHO
PIX Firewall 501
PIX Firewall 506E
SP
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-7
PIX Firewall 501
• Designed for small offices and teleworkers
• 7500 concurrent connections
• 60-Mbps clear text throughput
• 16-Mbps SDRAM
• Supports one 10/100BASE-T* Ethernet interface (outside) and a 4-port 10/100 switch (inside)
• VPN throughput
– 3-Mbps 3DES
– 4.5-Mbps 128-bit AES
• 10 simultaneous VPN peers*100BASE-T speed option is available in release 6.3.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-8
PIX Firewall 501—Front Panel LEDs
VPN tunnel
Power
100 Mbps
Link/act
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-9
PIX Firewall 501—Back Panel
Security lock slot
Power connector
10/100BASE-T (RJ-45)
Console port (RJ-45)
4-port 10/100 switch (RJ-45)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-10
PIX Firewall 506E
• Designed for small and remote offices
• 25,000 concurrent connections
• 100-Mbps clear text throughput
• 32-MB RAM
• Supports two interfaces (10/100BASE-T)*
• VPN throughput
– 17-Mbps 3DES
– 30-Mbps 128-bit AES
• 25 simultaneous VPN peers
*100BASE-T speed option is available in release 6.3 for 506E only.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-11
PIX Firewall 506E—Front Panel LEDs
Network LED
Active LED
Power LED
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-12
PIX Firewall 506E—Back Panel
LINKLED
Console port (RJ-45)
Power switch
ACT(ivity) LED
10/100BASE-T(RJ-45)
10/100BASE-T(RJ-45)
ACT(ivity) LED
LINKLED
USBport
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-13
PIX Firewall 515E
• Designed for small to medium businesses
• 130,000 concurrent connections
• 188-Mbps clear text throughput
• 32/64-MB RAM
• Supports six interfaces
• Supports failover
• VPN throughput
– 140-Mbps 3DES (VAC+)
– 140-Mbps 256-bit AES (VAC+)
• 2,000 IPSec tunnels
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-14
PIX Firewall 515E—Front Panel LEDs
Network LED
Power LED
Active failover firewall
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-15
PIX Firewall 515E—Back Panel
Expansion slots Fixed interfaces
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-16
PIX Firewall 515E—Fixed Interface Connectors
Failoverconnector
FDXLED
LINKLED
100 MbpsLED
FDXLED
Consoleport (RJ-45)
10/100BASE-TEthernet 1
(RJ-45)
Power switch
LINKLED
100 MbpsLED
10/100BASE-TXEthernet 0
(RJ-45)
LINK LED
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-17
PIX Firewall 515E—Expansion Slot Option Cards
VACVAC+4 FE - 66
Fast Ethernet VPN Accelerator
1FE
Expansion Slots
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-18
PIX Firewall 515E—FE Card Port Numbering
• PIX Firewall 515E option cards require the UR license.
Single-port
card
Quad-port
card
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-19
PIX Firewall 525
• Designed for enterprise
• 280,000 concurrent connections
• 330-Mbps clear text throughput
• 128/256-MB RAM
• Supports eight interfaces
• Supports failover
• VPN throughput
• 155-Mbps 3DES (VAC+)
• 170-Mbps 256-bit AES (VAC+)
• 2,000 IPSec tunnels
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-20
PIX Firewall 525—Front Panel LEDs
Power LED
Active LED
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-21
PIX Firewall 525 Back Panel
Expansion slotsFixed interfaces
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-22
PIX Firewall 525—Fixed Interface Connectors
100 MbpsLED
ACT(ivity) LED
ACT(ivity) LED
LINK LED
LINK LED
Failoverconnection
10/100BASE-TXEthernet 1
(RJ-45)
USBport Console
port (RJ-45)10/100BASE-TX
Ethernet 0(RJ-45)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-23
PIX Firewall 525—Expansion and VAC Cards
VPNAccelerator
card
Gigabit Ethernet
card
Fast Ethernet
cards
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-24
PIX Firewall 535
• Designed for enterprise and service providers
• 500,000 concurrent connections
• 1.7-Gbps clear text throughput
• 1-GHz Intel Pentium III processor
• 512/1000-MB RAM
• Maximum of 10 interfaces
• Supports failover
• VPN throughput
– 440-Mbps 3DES (VAC+)
– 440-256-bit AES (VAC+)
• 2,000 IPSec tunnels
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-25
PIX Firewall 535—Front Panel LEDs
Power ACT
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-26
Bus 1 Bus 0(64-bit/66-MHz)
Bus 2(32-bit/33-MHz)
PIX Firewall 535—Back Panel
Slots3 2 1 0
Slots8 7 6 5 4
ConsoleRJ-45
USB port
DB-15failover
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-27
PIX Firewall 535—Option Cards
VAC
VAC+
1GE1GE - 66 4 FE - 66
Gigabit Ethernet Fast Ethernet
VPN Accelerator
1FE
4 FE(EOS)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-28
PIX Firewall 535—Back Panel
DB-15failover
Slot 8
Slot 7
Slot 6
Slot 5
Slot 4
Slot 3
Slot 2 Slot 1
Slot 0ConsoleRJ-45
USB port
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-29
PIX Firewall Licensing
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-30
License Types
• Unrestricted—Allows installation and use of the maximum number of interfaces and RAM supported by the platform
• Restricted—Limits the number of interfaces supported and the amount of RAM available within the system
• Failover—Places the PIX Firewall in a failover mode for use alongside another PIX Firewall with an unrestricted license
Applies to PIX Firewall 515/515E, 525, and 535
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-31
PIX Firewall 515E, 525, and 535—License Comparison Table
Maximum accounts for the requirement of two physical interfaces and maximum number of VLANs in any PIX Firewall.
Model 515E 525 535Restricted
Maximum physical 3 6 8Maximum VLANs 3 4 6Maximum 5 6 8RAM 32 128 512
UnrestrictedMaximum physical 6 8 10Maximum VLANs 8 10 22Maximum 10 12 24RAM 64 256 1,000
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-32
VPN Encryption License
• DES license —Provides 56-bit DES• 3DES/AES license–Provides 168-bit 3DES–Provides up to 256-bit AES
Applies to PIX Firewall Family
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-33
Firewall Services Module
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-34
FWSM
• Designed for high-end enterprise and service providers
• Runs in Cisco Catalyst 6500 Series switches and 7600 Series routers
• Based on PIX Firewall technology
• PIX Firewall 6.0 feature set (some 6.2)
• 1 million simultaneous connections
• Over 100,000 connections per second
• 5-Gbps throughput
• 1-GB DRAM
• Supports 100 VLANs
• Supports failover
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-35
FWSM in the Catalyst 6500 Switch
Supervisor engine
Redundant supervisor engine
Switching modules
Fan assembly
Power supply 1
Power supply 2ESD ground strap
connector
FWSM
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-36
FWSM in the Cisco 7609 Internet Router
OSMs
Redundant supervisor engine
FWSM
Fan assembly
Power supply 1
Power supply 2
Switch FabricModule
Supervisor engine
Redundant Switch Fabric
Module
ESD ground strap connection
Slots 1-9(right to left)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-37
Summary
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-38
Summary
• There are currently five PIX Firewall models in the 500 series: 501, 506E, 515E, 525, and 535.• The PIX Firewall models 501, 506E, 515E, 525, and
535 come equipped with Ethernet connections, console connections, and intuitive LEDs.• PIX Firewall models 515E, 525, and 535 support
failover.• Your PIX Firewall license determines the PIX
Firewall’s level of service in your network and the number of interfaces it supports.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—4-39
Summary (Cont.)
• Restricted, unrestricted, and failover licenses are available for PIX Firewall models 515E, 525, and 535.• Based on PIX Firewall technology, the Firewall
Services Module for the Cisco Catalyst 6500 Switches and Cisco 7600 Series Internet Routers provides an alternative to the PIX Firewall appliance.• FWSM supports the PIX Firewall Software
Release 6.0 feature set as well as some of the 6.2 feature set.• FWSM delivers multigigabit throughput and 1
million concurrent connections.