Cisco PIX

Encyclopedia : C : CI : CIS : Cisco PIX

Cisco PIX (Private Internet EXchange) is a firewall originally designed by Brantley Coile¹ and John Mayes of Network Translation, Inc. Their company was acquired in 1995 by Cisco Systems, Inc, who now sells the PIX technology and continues its development. For a period of approximately three years, starting with 1997, the PIX was sold alongside Cisco's Windows NT-based softwall firewall, the Centri firewall, which was acquired from Global Internet Software Group. The PIX runs a custom-written proprietary operating system originally called Finesse (Fast InterNEt Server Executive), but now the software is known simply as PIX OS. It is classified as a network layer firewall with stateful inspection. By its design it allows internal connections out (outbound traffic), and only allows inbound traffic that is a response to a valid request or is allowed by an ACL (Access Control List) or a conduit. The PIX can be configured to perform many functions including NAT (network address translation) and PAT (port address translation).

The PIX is constructed using Intel-based/Intel-compatible motherboards. Nearly all PIXes use NIC's with Intel network chipsets, but some older models are occasionally found with 3COM 3c590 and 3c595 cards. The PIX 520 shares basic components, such as motherboard, chassis, NIC's, flash cards, etc, with the Cisco LocalDirector 416/420/430 and the Cisco Service Selector Gateway 6510 (SSG-6510), though each runs a different operating system. The PIX boots off of a proprietary ISA flash memory daughtercard in the case of the PIX Classic, 10000, 510, 520, and 535, and it boots off of integrated flash memory in the case of the PIX 501, 506/506e, 515/515e, 525, and WS-SVC-FWM-1-K9.

Due to the standard nature of the PIX's components, it is technically feasible to construct (but legally questionable to sell) a "frankenpix" from older computer parts that use the Intel chipset, such as motherboards and network cards. The only nonstandard part involved is the ISA flash card, from which the machine boots. Such cards may be acquired from people upgrading their PIX to a newer OS, as the newer PIX OS images won't fit on the 512kB or 2 MB flash cards found in the PIX Classic, PIX 10000, PIX 510, and PIX 520; except for the 501 and 506, which have 8 MB of flash, one must have at least 16 MB of flash to run versions 5.2 on up.

The PIX technology is also sold in a blade, the FireWall Services Module (FWSM, part code:WS-SVC-FWM-1-K9), for the Cisco Catalyst 6500 switch series and the 7600 Router series.

Recently, Cisco has introduced the Adaptive Security Appliance (ASA) which combines functionality from the PIX, VPN 3000 series and IDS product lines. The ASA series of devices run PIX code 7.0 and later.

Contents

0.1 History and hardware/software specfications
0.2 Performance specifications
0.3 Footnotes
0.4 List of part numbers for
0.5 See also

History and hardware/software specfications

Model	PIX Classic 47-3158-01	PIX 10000	PIX 501	PIX 506	PIX 506e	PIX 510	PIX 515	PIX 515e	PIX 520	PIX 525	PIX 535	FWSM
Introduced	1994		2001	2000	2002	1997	1999	2002	1999	2000	2000	2003
Discontinued	1998	1998	n/a	2002	n/a	1999	2002	n/a	2001	n/a	n/a	n/a
CPU type	Intel Pentium Pro	Intel Pentium Pro	AMD SC520¹¹	MMX	Celeron (Mendocino)	Intel Pentium			Pentium II (Deschutes)	Intel Pentium III (Coppermine)	Intel Pentium III (Coppermine)
CPU speed	133 MHz	200 MHz	133 MHz	200 MHz	300 MHz	166 MHz	200 MHz	433 MHz		600 MHz	1 GHz
Default RAM	8 MB	16 MB		32 MB	32 MB	16 MB			128 MB			1 GB
Boot flash device	Daughtercard	Daughtercard	Onboard	Onboard	Onboard	Daughtercard	Onboard	Onboard	Daughtercard	Onboard	Daughtercard	Onboard
Default flash	2 MB	2 MB				2 MB					16 MB	128 MB
Boot flash chips	4 x 29C040		1 x 28F640	1 x i28F640J5	1 x 28F640	4 x 29C040	2 x i28F640J5	1 x E28F128J3	2 x i28F640J5	1 x EF28F128J3	2 x i28F640J5
PIX BIOS flash chips	AM28F256		28F640	AT29C257	AM29F400B	AM28F256	AT29C257	AM29F400B	AT29C257	E28F400B5T
Minimum PIX OS version			6.1(1)	4.4(x)	5.1(x)	4.4(x)	5.1(x)	5.1(x)	4.4(x)	5.2(x)	5.3(x)
Maximum PIX OS version							Latest 7.x	Latest 7.x		Latest 7.x	Latest 7.x
Max interfaces				2	2
Fixed internal interface	No	No	10/100baseT	10baseT	10/100baseT	No	10/100baseT	10/100baseT	No	10/100baseT	No	No
Fixed external interface	No	No	10/100baseT	10baseT	10/100baseT	No	10/100baseT	10/100baseT	No	10/100baseT	No	No
PCI slots			0	0	0		2	2		3	9	0
Expansion cards supported	1 port FE, 1 port Token Ring, 1 port FDDI	1 port FE, 1 port Token Ring, 1 port FDDI	No	No	No	1 port FE, 1 port Token Ring, 1 port FDDI	1000baseSX		1 port FE, 4 port FE, 1 port 1000baseSX	1 port FE, 4 port FE, 1 port 1000baseSX	1 port FE, 4 port FE, 1 port 1000baseSX
VPN accelerator supported	Yes	Yes	No	No	No	Yes	Yes	Yes	Yes	Yes	Yes
Floppy drive	Yes	Yes	No	No	No	Yes	No	No	Yes	No	No	No
Failover supported	Yes	Yes	No	No	No	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Model	PIX Classic	PIX 10000	PIX 501	PIX 506	PIX 506e	PIX 510	PIX 515	PIX 515e	PIX 520	PIX 525	PIX 535	FWSM

---Information on models supported as of 6/27/2005 verified from [Cisco's PIX Brochure] (page 2) and the specific [product pages]

Performance specifications

Model	PIX Classic	PIX 10000	PIX 501	PIX 506	PIX 506e	PIX 510	PIX 515	PIX 515e		PIX 525	PIX 535	FWSM
Cleartext throughput, Mbit/s		90	60	20	100		147	190	240	330	1655	5500
56-bit DES throughput, Mbit/s			6		20		n/a	n/a		n/a	n/a	n/a
168-bit Triple DES throughput, Mbit/s			3	6	16		10	⁵		⁵	⁵	n/a
AES-128 throughput, Mbit/s			4.5		30							n/a
AES-256 throughput, Mbit/s			3.4		25							n/a
Max simultaneous connections		16,000	7,500	10,000	25,000				256,000			999,900 total / 100,000 per second
Max simultaneous hosts (users)					Unlimited			Unlimited		Unlimited	Unlimited	256,000
Max number of ACL's												80,000
Max simultaneous VPN peers			10	25	25							n/a
Model	PIX Classic	PIX 10000	PIX 501	PIX 506	PIX 506e	PIX 510	PIX 515	PIX 515e	PIX 520	PIX 525	PIX 535	FWSM

---Information on models supported as of 6/27/2005 verified from [Cisco's PIX Brochure] (page 2) and the specific [product pages]

Footnotes

Note 1: Brantley Coile now operates Coraid, which designs and manufactures Network-attached_storage
Note 2: The "inside" port is connected to an internal, unmanaged, auto-polarity 4 port switch.
Note 3: Restricted package / Unrestricted package limits (referred to by Cisco as R and UR/FO/FO-AA, respectively). For PIX-525 512Mb RAM not supported but it works.
Note 4: According to Cisco, the 1000baseSX card is not officially supported by the 515/515e, but it will work.
Note 5: VAC acceleration vs VAC+ (in parenthesis) acceleration (Implies Unrestricted package).
Note 6: Older 520's made before February 2000 and with a serial number less than 18025677 shipped with a 2 MB flash card. Newer 520's shipped with a 16 MB flash card.
Note 7: The WS-SVC-FWM-1-K9 blade has no fixed ports or internal expansion; it makes use of either VLAN interfaces (being used by physical interfaces on a remote switch) or the physical interfaces on the switch/router it is installed in.
Note 8: PIX Classic firewalls with a serial number of 06002015 or lower came with 512k flash. Newer models came with 2 MB flash.
Note 9: The WS-SVC-FWM-1-K9 blade only supports IPSec VPN for management. It doesn't have the ability to terminate a VPN connection for remote users.
Note 10: The PIX 520 received updated PII processors as they became available, starting with the PII 233 and ending with the PII 350. The Intel-manufactured [SE440BX-2] ATX motherboard in the 520 can support any Slot1 processor from the Celeron Covington, Celeron Mendocino, Pentium II Klamath, Pentium II Deschutes, and the Pentium III Katmai families, as long as the cpu's use 2.0v core voltage and can run on a 66 or 100 MHz fsb. You may also use 133MHz FSB cpu's, but they will run at slower speeds, for example a 933 MHz cpu for 133 MHz FSB will only run at 700 MHz. A slotket can also be used to install the newer 500 MHz - 1.1 GHz Socket 370 Pentium III Coppermine cpu's, as long as the slotket provides a voltage regulator and manual bus speed selector.
Some PIX 520 Firewalls may use the Intel [AL440LX] motherboard instead of the SE440BX-2. The AL440LX may be replaced by a SE440BX-2 or similar motherboard, but the BIOS needs to be re-configured.
Note 11: Cannot be easily upgraded, due to clearance issues with the top cover. In the case of the 506e, the CPU was evidently inserted into the ZIF socket, and then the heatsink/fan was epoxied on. That makes removing the CPU very difficult, as the heatsink overlaps the lever that releases the CPU.
Note 12: In early 2005, Cisco indicated that PIX OS 7.x would only support the 515, 515e, 525, and 535, while a "stripped-down" version would eventually be released for the 501 and 506e. While not officially supported, it is actually possible to update the 506E to 7.x code by removing all GUI management software.
Note 13: Running the highest possible PIX OS version requires the use of the PIX-FLASH-16 MB flash card, as the 5.2 through 6.3 train won't fit on a 512KB or 2 MB flash card.
Note 14: Shows flash chips on the 2 MB flash card versus the chips on the 16 MB flash card.
Note 15: Various models of the 525 use different flash chips, probably due to differing production runs.
Note 16: Shows flash chips on the 512KB flash card versus the chips on the 2 MB flash card.
Note 17: While the PIX 535 boots off of the same ISA flash card as some PIX 510's and 520's (the PIX-FLASH-16 MB) its newer on-board PIX BIOS (version 4.x) overrides the PIX BIOS on the flash card (version 3.6) at boot.
Note 18: Since both the 510 and 520 have standard ATX motherboards, the PCI slot count can be higher or lower than the default if the motherboard is replaced with a different one.
Note 19: The performance figures cited here are highly changeable, as one can upgrade the CPU in the PIX 520 to a 1GHz Pentium III, which will considerably increase its throughput in all of the below categories, putting it on a level with the 525 and 535.

List of part numbers for
Flash cards
* ??? - 512kB ISA flash card used in the PIX Classic and 10000.
* ??? - 2MB ISA flash card used in the PIX Classic, 10000, 510, and 520, as well as the SSG-6510 and many LocalDirectors.
* PIX-FLASH-16MB - 16 MB ISA flash card for the PIX 510, 520, and 535.
Ethernet cards
* PIX-1GE-66 - 64 bit/66 MHz 1000baseSX card for PIX 53x. Based on the Intel Pro/1000-F fiber network card with the 82543GC chipset (PWLA8490sx[link]). The 1000baseT variant of this card, the Intel Pro/1000-t Server adapter (PWLA8490t[link]), is not supported by PIX OS, probably due to interoperability problems with early 1000baseT switch products [link].
* PIX-1GE - 32 bit/33 MHz 1000baseSX card for PIX 52x. Based on the Intel Pro/1000 fiber network card with the 82542 chipset (PWLA8490[link]).
* PIX-4FE-66 - 64 bit/66 MHz Four port 10/100 Fast Ethernet card. Based on the Intel 82559 chipset. Uses a DEC 21154BE bridge chip.
* PIX-4FE - 32 bit/33 MHz Four port 10/100 Fast Ethernet card. Based on the Intel 82558b chipset. Uses a DEC 21154AB bridge chip.
* PIX-1FE - 32 bit/33 MHz One port 10/100 Fast Ethernet card. Based on the Intel Pro/100+ family with the 82557, 82558 and 82559 chipsets.
**???* - 3COM 3c590 and 3c595 PCI NIC's found in PIX Classic, 510, 515, and 520. Mentioned in version 4.4.1 install guide and supported through at least PIX OS 5.1.5 [link]. Since these are PIX components predating Cisco's acquisition, there may not be PIX-specific part numbers for these at all.
VPN/Encryption acceleration cards
* PIX-VPN-ACCEL - 32 bit/33 MHz IPSec Hardware VPN Accelerator Card. Accelerates DES and 3DES.
* PIX-VAC-PLUS - 64 bit/66 MHz IPSec Hardware VPN Accelerator Card. Supported only on 515e, 525, and 535 running PIX OS 6.3(1) or higher. Accelerates DES, 3DES, and AES. Part number 74-3176-01. Chip BCM5823KPB-5
* PIX-PL2 - 32 bit/33 MHz PIX Private Line proprietary DES encryption card (discontinued and unsupported from PIX OS 6.0(1) on).
FDDI and Token Ring cards
* PIX-1TR - 32 bit/33 MHz 4/16 Mbit/s Token Ring card (discontinued and unsupported from PIX OS 6.0(1) on).
* PIX-FDDI - 32 bit/33 MHz 100Mbit/s SC duplex PCI FDDI card based on the Interphase 5511 FDDI card (PB05511-002). It was discontinued and unsupported from PIX OS 6.0(1) on.

Cisco PIX

History and hardware/software specfications

Performance specifications

Footnotes

See also