PIX 501 vs. 506 Capabilities 1

[dwmatteson]

Hi All -

Our supervising unit has decreed that we must move from our current Linux-based solution to a Cisco PIX for security on our broadband connections. There's been some question on whether I need to purchase a PIX 501 or a 506.

My setup is ~125 PCs sharing a symmetric DSL connection to the Internet. Of these PCs, I'll have no more than 3-4 users who will require VPN access to the supervising unit's Finance Department. The PCs are accessing the Internet from a single public IP address using port address translation. I have one available public IP address that I can use for VPN if necessary (I have two others that are in use for mail and web servers).

The IT director for our supervising unit insists that with 125 users, I need to get a 506. I've been poking around a bit, and I'm wondering if I get away with a 501 with unlimited user licenses. I think this would let all of the machines share Internet connectivity while supporting the 3-4 users on VPN.

Am I thinking about this correctly, or am I missing something fundamental?

Many thanks in advance!

Don Matteson
Cisco/VPN Rookie

 

[tbissett]

Here's some quick specs:

Cisco 501
7500 concurrent connections
3 Mbps 3DES VPN throughput
10 simultaneous VPN peers

Cisco 506E
25,000 concurrent connections
17 Mpbs 3DES VPN throughput
25 simultaneous VPN peers

The VPN throughput is not a huge deal since your SDSL line is the limiting factor, so the 501 should work fine. The price difference between the two is not much, though, so you may just want to go with the 506 anyway if it doesn't break the bank.

 

[dwmatteson]

Thanks tbissett --

I guess I've been thrown off by the user-licenses issue. Am I to understand that I can have as many folks poking around on the Internet from behind the PIX as I want (as long as their combined number of connections doesn't exceed 7500), but only 10 of them can be on the VPN at any one time?

I've been led to believe from the IT director higher up on the food chain that in order to have my 125 PCs on the Internet (not the VPN), I'd have to have additional user licenses.

Is the superivising IT person in error?

Thanks again!

Don

 

[tbissett]

The user licenses apply to inside hosts connecting to the Internet. In the case of the connection max., that is more a performance constraint if you bought the 501 with unlimited licenses (though 125 stations would never generate 7,500 concurrent connections unless something was REALLY wrong).

Then, the max VPN peers is the limit of how many VPN connections you can have simultaneously.

Here's the explanation of user licenses, straight from Cisco's website:

10-User License
The PIX 501 10-user license supports up to ten concurrent source IP addresses from your internal network to traverse through the PIX 501. The integrated DHCP server supports up to 32 DHCP leases.

50-User License
The PIX 501 50-user license supports up to 50 concurrent source IP addresses from your internal network to traverse through the PIX 501. The integrated DHCP server supports up to 128 DHCP leases.

Unlimited User License
The PIX 501 unlimited user license supports an unlimited number of devices from your internal network to traverse through the PIX 501. The integrated DHCP server supports up to 256 DHCP leases.

 

[dwmatteson]

Thanks for the info. I'd looked at Cisco's site, but I guess I never got to the part detailing the user licenses. The info you've provided will definitely let me make an informed decision.

Thanks again!

Don