pixes

Cisco PIX

Cisco PIX (Private Internet eXchange) is a popular IP firewall and network address translation (NAT) appliance. It was one of the first products in this market segment.

In 2005, Cisco introduced the newer Adaptive Security Appliance (ASA), that inherited much of PIX features, and in 2008 announced PIX end-of-sale.

The PIX technology is still sold in a blade, the FireWall Services Module (FWSM), for the Cisco Catalyst 6500 switch series and the 7600 Router series.

History

PIX was originally conceived in early 1994 by John Mayes of Redwood City, California and coded by Brantley Coile of Athens, Georgia. The PIX name is derived from its creators' aim of creating the functional equivalent of an IP PBX to solve the then-emerging registered IP address shortage. At a time when NAT was just being investigated as a viable approach, they wanted to conceal a block or blocks of IP addresses behind a single or multiple registered IP addresses, much like PBX's do for internal phone extensions. When they began, RFC 1597 and RFC 1631 were being discussed, but the now-familiar RFC 1918 had not yet been submitted.

The design, and testing were carried out in 1994 by John Mayes, Brantley Coile and Johnson Wu of Network Translation, Inc., with Brantley Coile being the sole software developer. Beta testing of PIX serial number 000000 was completed and first customer acceptance was on December 21 1994 at KLA Instruments in San Jose, California. The PIX quickly became one of the leading enterprise firewall products and was awarded the Data Communications Magazine "Hot Product of the Year" award in January of 1995.

After Cisco acquired Network Translation in November 1995, Mayes and Coile hired four long time associates: Jim Jordan, Tom Bohannon, and Richard Howes and Pete Tenereillo (both who worked for NTI prior to the acquisition). Together they continued development on Finesse OS and the original version of the Cisco PIX Firewall, now known as the PIX "Classic". During this time, the PIX shared most of its code with another Cisco product, the LocalDirector.

End-of-Life

On January 28, 2008, Cisco announced the end-of-sale and end-of-life dates for all Cisco PIX Security Appliances, software, accessories, and licenses. The last day for purchasing Cisco PIX Security Appliance platforms and bundles was July 28, 2008. The last day to purchase accessories and licenses will be January 27, 2009. It is important to note that Cisco will continue to support Cisco PIX Security Appliance customers through July 27, 2013.

Adaptive Security Appliance (ASA)

In May 2005, Cisco introduced the Adaptive Security Appliance (ASA) which combines functionality from the PIX, VPN 3000 series and IDS product lines. The ASA series of devices run PIX code 7.0 and later. Through PIX OS release 7.x the PIX and the ASA use the same software images. Beginning with PIX OS version 8.x, the operating system code diverges, with the ASA using a Linux kernel and PIX continuing to use the traditional Finesse/PIX OS combination.

Description of operation

The PIX runs a custom-written proprietary operating system originally called Finesse (Fast InterNEt Server Executive), but now the software is known simply as PIX OS. It is classified as a network layer firewall with stateful inspection, although technically the PIX would more precisely be called a Layer 4, or Transport Layer Firewall, as its access is not restricted to Network Layer routing, but socket based connections (a port and an IP Address - Port communications occur at Layer 4). By design it allows internal connections out (outbound traffic), and only allows inbound traffic that is a response to a valid request or is allowed by an Access Control List (ACL) or a conduit. The PIX can be configured to perform many functions including network address translation (NAT) and port address translation (PAT), as well as being a virtual private network (VPN) endpoint appliance.

The PIX was the first commercially available firewall product to introduce protocol specific filtering with the introduction of the "fixup" command. The PIX "fixup" capability allows the Firewall to apply additional security policies to connections identified as using specific protocols. Two protocols for which specific fixup behaviors were developed are DNS and SMTP. The DNS fixup originally implemented a very simple but effective security policy; it allowed just one DNS response from a DNS server on the Internet (known as outside interface) for each DNS request from a client on the protected (known as inside) interface. "Fixup" has been superseded by "Inspect" on later versions of PIX OS.

The Cisco PIX was also one of the first commercially available security appliances to incorporate IPSec VPN gateway functionality.

The PIX can be managed by a command line interface (CLI) or a graphical user interface (GUI). The CLI is accessible from the serial console, telnet and SSH. GUI administration was introduced with version 4.1, and it has been through several incarnations: PIX Firewall Manager (PFM) for PIX OS versions 4.x and 5.x, which runs locally on a Windows NT client; PIX Device Manager (PDM) for PIX OS version 6.x, which runs over [] and requires Java; and Adaptive Security Device Manager (ASDM) for PIX OS version 7 and greater, which can run locally on a client or in reduced-functionality mode over HTTPS.

As the PIX is an acquired product, the CLI was originally not aligned with the Cisco IOS syntax. Starting with version 7.0, the configuration is much more IOS-like. As the PIX only supports IP traffic (as opposed to IPX, DECNet, etc.), in most configuration commands 'ip' is omitted. The configuration is upwards compatible, but not downwards. When a 5.x or 6.x configuration is loaded on a 7.x platform, the configuration is automatically converted to 7.x formatting. This allows for an easy migration from PIX to ASA. PIX OS v7.0 is only supported on models 515, 515(E), 525 and 535. Although the 501 and 506E are relatively recent models, the flash memory size of only 8 MB prevents support of version 7.x, although rumors suggest that 7.0 can be installed on a 506E (see external links). For the PIX 515(E), a doubling of the memory size is required (32->64 MB for restricted and 64->128MB for Unrestricted/Failover licenses).

Description of hardware

The original NTI PIX and the PIX Classic had cases that were sourced from OEM provider Appro. All flash cards and the early encryption acceleration cards, the PIX-PL and PIX-PL2, were sourced from Productivity Enhancement Products (PEP). Later models had cases from Cisco OEM manufacturers.

The PIX was constructed using Intel-based/Intel-compatible motherboards; the PIX 501 used an AMD 5x86 processor, and all other standalone models used Intel 80486 through Pentium III processors. Nearly all PIXes used Ethernet NIC's with Intel 82557, 82558, and 82559 network chipsets, but some older models are occasionally found with 3COM 3c590 and 3c595 Ethernet cards, Olicom-based Token-Ring cards, and Interphase-based FDDI cards.

Some Intel-based ethernet cards for the PIX are identified at boot with the designation "mcwa". This designation denotes a multicast receive bug in the card's firmware that the designers addressed with a feature they called Multi Cast Work Around.

Both the PIX 510 and 520 share basic components, such as motherboard, chassis, NIC's, flash cards, etc, with the Cisco LocalDirector 416/420/430, the Cisco Service Selector Gateway 6510 (SSG-6510), and the Cisco Cache Engine CE2050, though the latter two run VxWorks, rather than a Finesse derivative.

The PIX boots off a proprietary ISA flash memory daughtercard in the case of the NTI PIX, PIX Classic, 10000, 510, 520, and 535, and it boots off integrated flash memory in the case of the PIX 501, 506/506e, 515/515e, 525, and WS-SVC-FWM-1-K9.

The PIX technology implemented in the FWSM, for the Catalyst 6500 and the 7600 Router, has a part code of WS-SVC-FWM-1-K9.

Specifications of past and present models

Current models

Model	501	506e	515e	525	535	ASA 5520	FWSM
Introduced	2001	2002	2002	2000	2000	2005	2003
Discontinued	2008	2008	2008	2008	2008
CPU type	AMD SC520 5x86	Intel Celeron (Mendocino SL36A)	Intel Celeron (Mendocino SL3BA)	Intel Pentium III (Coppermine)	Intel Pentium III (Coppermine)	Intel Pentium 4 Celeron	Intel Pentium III, IBM 4GS3 PowerNP network processors
CPU speed	133 MHz	300 MHz	433 MHz	600 MHz	1 GHz	2 GHz	1 GHz
Chipset	AMD SC520	Intel 440BX Seattle	Intel 440BX Seattle	Intel 440BX Seattle	Broadcom Serverworks RCC	Intel 875P Canterwood	?
Default RAM	16 MB	32 MB	64 (128) MB	128 (256) MB	512 (1024) MB	512 MB	1 GB
Boot flash device	Onboard	Onboard	Onboard	Onboard	ISA card & Onboard	Onboard	Onboard
Default flash	8 MB	8 MB	16 MB	16 MB	16 MB	64 MB	128 MB
Boot flash chips	1 x 28F640	1 x 28F640	1 x E28F128J3	1 x EF28F128J3	2 x i28F640J5	ATA CompactFlash	ATA CompactFlash
PIX BIOS flash chips	28F640	AM29F400B	AM29F400B	AM29F400B/ E28F400B5T	DA28F320J5	AT49LW080
Minimum PIX OS version	6.1(1)	5.1(x)	5.1(x)	5.2(x)	5.3(x)	7.x
Maximum PIX OS version officially supported	Latest 6.3(x)	Latest 6.3(x)	8.x	7.x	7.x	8.x
Max interfaces	2	2	6(3)	10(6)	14(8)	8
Fixed internal interface	10/100baseT	10/100baseT	10/100baseT	10/100baseT	No	10/100/1000	No
Fixed external interface	10/100baseT	10/100baseT	10/100baseT	10/100baseT	No	10/100/1000	No
PCI slots	0	0	2	3	9	1 PCI-X	1
Expansion cards supported	No	No	1 port FE, 4 port FE, 1 port 1000baseSX	1 port FE, 4 port FE, 1 port 1000baseSX	1 port FE, 4 port FE, 1 port 1000baseSX	1 port FE, 4 port FE, 1 port 1000baseSX	Yes
Supports SSL VPN	No	No	No	No	No	Yes	No
VPN accelerator supported	No	No	Yes	Yes	Yes	Integrated	No
Floppy drive	No	No	No	No	No	No	No
Failover supported	No	No	Yes	Yes	Yes	Yes	Yes
Model	501	506e	515e	525	535	ASA 5520	FWSM

Discontinued models

Model	NTI PIX	Classic 47-3158-01	10000	506	510	515	520
Introduced	1994	1995	1996	2000	1997	1999	1999
Discontinued	1995	1998	1998	2002	1999	2002	2001
CPU type	Intel 486DX2/ Intel Pentium	Intel Pentium	Intel Pentium Pro	Intel Pentium MMX	Intel Pentium	Intel Pentium MMX	Intel Pentium II (Deschutes)
CPU speed	66 / 90 MHz	100~133 MHz	200 MHz	200 MHz	166 MHz	200 MHz	233~350 MHz
Chipset		Intel 430FX/TX	Intel 440FX Natoma	Intel 430TX	Intel 430TX	Intel 430TX	440LX/BX Balboa/ Seattle
Default RAM	4 MB	8 MB	16 MB	32 MB	16 MB	32 (64) MB	128 MB
Boot flash device	ISA card	ISA card	ISA card	Onboard	ISA card	Onboard	ISA card
Default flash	512KB	512KB / 2 MB	2 MB	8 MB	2 MB	16 MB	2 MB / 16 MB
Boot flash chips	2 x i28f020	2 x i28f020 / 4 x 29C040	4 x 29C040	1 x i28F640J5	4 x 29C040	2 x i28F640J5	4 x 29C040 / 2 x i28F640J5
PIX BIOS flash chips	AM28F256	AM28F256	AM28F256	AT29C257	AM28F256	AT29C257	AM28F256/ AT29C257
Minimum PIX OS version	1.x	2.x	4.4(x)	4.4(x)	4.4(x)	5.1(x)	4.4(x)
Maximum PIX OS version	4.2(2)	4.2(2) 5.1(x)	5.1(x)	Latest 6.3(x)	5.3(4)	Latest 8.x	Latest 6.3(x)
Max interfaces				2		6(3)	8(6)
Fixed internal interface	No	No	No	10baseT	No	10/100baseT	No
Fixed external interface	No	No	No	10baseT	No	10/100baseT	No
PCI slots	?	4	4	0	4+	2	4+
Expansion cards supported	?	1 port FE, 1 port Token Ring, 1 port FDDI	1 port FE, 1 port Token Ring, 1 port FDDI	No	1 port FE, 1 port Token Ring, 1 port FDDI	1 port FE, 4 port FE, 1 port 1000baseSX	1 port FE, 4 port FE, 1 port 1000baseSX
VPN accelerator supported	Yes	Yes	Yes	No	Yes	Yes	Yes
Floppy drive	Yes	Yes	Yes	No	Yes	No	Yes
Failover supported	No	No/Yes	Yes	No	Yes	Yes	Yes
Model	NTI PIX	Classic	10000	506	510	515	520

---Information on models supported as of 6/27/2005 verified from Cisco's PIX Brochure (page 2) and the specific product pages

Performance specifications

Model	PIX Classic	PIX 10000	PIX 501	PIX 506	PIX 506e	PIX 510	PIX 515	PIX 515e	PIX 520	PIX 525	PIX 535	ASA 5520	FWSM
Cleartext throughput, Mbit/s		90	60	20	100		147	190	240	330	1655	450	5500
56-bit DES throughput, Mbit/s			6		20		n/a	n/a		n/a	n/a	?	n/a
168-bit Triple DES throughput, Mbit/s			3	6	16		10 / 63 (135)	20 / 63 (135)	20	30 / 72 (145)	50 / 100 (425)	225	n/a
AES-128 throughput, Mbit/s			4.5		30			45 / 130		65 / 135	110 / 495	225	n/a
AES-256 throughput, Mbit/s			3.4		25			35 / 130		50 / 135	90 / 425	225	n/a
Max simultaneous connections		16,000	7,500	10,000	25,000		64,000 / 128,000	48,000 / 130,000	256,000	140,000 / 280,000	250,000 / 500,000	280,000	999,900 total / 100,000 per second
Max simultaneous hosts (users)			10 / 50 / Unlimited		Unlimited			Unlimited	128 / 1000 / unlimited	Unlimited	Unlimited	?	256,000
Max number of ACL's												?	80,000
Max simultaneous VPN peers			10	25	25			0 / 2000		0 / 2000	0 / 2000	750 IPSec, 750 SSL	n/a
Model	PIX Classic	PIX 10000	PIX 501	PIX 506	PIX 506e	PIX 510	PIX 515	PIX 515e	PIX 520	PIX 525	PIX 535	ASA 5520	FWSM

---Information on models supported as of 6/27/2005 verified from Cisco's PIX Brochure (page 2) and the specific product pages

List of part numbers for PCI, ISA, and EISA expansion cards

Flash cards

??? - 512 kB ISA flash card used in the original NTI PIX, PIX Classic and 10000. It is manufactured by Productivity Enhancement Products. Aside from progressive manufacturing refinements, the 512KB and 2MB flash cards were identical aside from the chips that populated it. Both booted from a 28F256 chip, but the 512KB card only populated two of the flash sockets with 28F020 chips, while the 2MB card populated all four sockets with 29C040 chips
??? - 2 MB ISA flash card used in the PIX Classic, 10000, 510, and 520, as well as the SSG-6510 and many LocalDirectors. It is manufactured by Productivity Enhancement Products.
PIX-FLASH-16MB - 16 MB ISA flash card for the PIX 510, 520, and 535. It is manufactured by Productivity Enhancement Products.

Ethernet cards

PIX-1GE-66 - 64 bit/66 MHz PCI 1000baseSX card for PIX 53x. Based on the Intel Pro/1000-F fiber network card using the Intel TL82543GC (Intel code name "Livengood") ASIC (PWLA8490sx ). The 1000baseT variant of this card, the Intel Pro/1000-t Server adapter (PWLA8490t ), is not supported by PIX OS, due to Carrier Extension interoperability problems with early 1000baseT switch products
PIX-1GE - 32 bit/33 MHz PCI 1000baseSX card for PIX 52x. Based on the Intel PWLA8490 Pro/1000 fiber network card with the 82542 (Intel code name "Wiseman") chipset. The ASIC used on this card is the LSI L2A1157/695314-003. There is no 1000baseT variant of this card. In the release notes for PIX OS 6.02, Cisco advises against installing this card in the 525 and 535 , referencing caveat CSCdu00850, although this caveat actually only lists the PIX 535, which is the only model with a 66 MHz PCI bus.
PIX-4FE-66 - 64 bit/66 MHz PCI Four port 10/100 Fast Ethernet card. Based on the Intel 82559 chipset. Uses a DEC 21154BE bridge chip.
PIX-4FE - 32 bit/33 MHz PCI Four port 10/100 Fast Ethernet card. Based on the Intel 82558b chipset. Uses an Intel 21154AC or DEC 21154AB bridge chip.
PIX-1FE - 32 bit/33 MHz PCI Single-port 10/100 Fast Ethernet card. Based on the Intel Pro/100+ family with the 82557, 82558 and 82559 chipsets.
??? - 3COM 3c590 and 3c595 PCI NIC's occasionally found in NTI PIX, PIX Classic, 10000, 510, 515, and 520. Mentioned in version 4.4.1 install guide and supported through at least PIX OS 5.1.5 Since these are off-the-shelf PC components predating the creation of the PIX, there may not be PIX-specific part numbers for these at all.

VPN/Encryption acceleration cards

PIX-VAC-PLUS - 64 bit/66 MHz PCI IPSec Hardware VPN Accelerator Card, identified by PIX OS as a PIX-VAC+. Supported by the 515, 515e, 520, 525, and 535 running PIX OS 6.3(1) or higher. Accelerates DES, 3DES, and AES. Part number 74-3176-01. Uses the Broadcom BCM5823KPB-5 chip.
PIX-VPN-ACCEL - 32 bit/33 MHz PCI IPSec Hardware VPN Accelerator Card, identified by PIX OS as a PIX-VAC. Accelerates DES and 3DES. This is a repackaged IRE SafeNet CryptPCI 413-10004 rev 2.3 card. It uses the Analog Devices ADSP-2141L chip. Its part number is 74-1908-01.
PIX-PL2 - 32 bit/33 MHz PCI proprietary DES encryption card (discontinued and unsupported from PIX OS 6.0.1 on). It is manufactured by Productivity Enhancement Products.
PIX-PL - 32 bit/8 MHz EISA encryption card found in some early PIXes. It is manufactured by Productivity Enhancement Products.

FDDI and Token Ring cards

PIX-1TR - 32 bit/33 MHz 4/16 Mbit/s PCI Token Ring card based on the Olicom OC-3137/PE-67597 (discontinued and unsupported from PIX OS 6.0.1 on).
PIX-FDDI - 32 bit/33 MHz 100 Mbit/s SC duplex PCI FDDI card based on the Interphase 5511 FDDI card (PB05511-002). It was discontinued and unsupported from PIX OS 6.0.1 on.

Footnotes

Only the first few NTI PIXes came with the 486 processor; the rest came with a Pentium processor.
The "inside" port is connected to an internal, unmanaged, auto-polarity 4 port switch.
Restricted package / Unrestricted package limits (referred to by Cisco as R and UR/FO/FO-AA, respectively). For PIX-525, RAM configurations above 384MB are not supported by Cisco however up to 3x 256MB work for a maximum of 768MB.
According to Cisco, the 1000baseSX card is not officially supported by the 515/515e, but it will work.
VAC acceleration vs VAC+ (in parenthesis) acceleration (Implies Unrestricted package).
Older 520's made before February 2000 and with a serial number less than 18025677 shipped with a 2 MB flash card. Newer 520's shipped with a 16 MB flash card

The WS-SVC-FWM-1-K9 blade has no fixed ports or internal expansion; it makes use of either VLAN interfaces (being used by physical interfaces on a remote switch) or the physical interfaces on the switch/router it is installed in.
PIX Classic firewalls with a serial number of 06002015 or lower came with a 512KB flash card. Newer models came with a 2MB flash card

The WS-SVC-FWM-1-K9 blade only supports IPSec VPN for management. It doesn't have the ability to terminate a VPN connection for remote users.
The PIX 520 received updated PII processors as they became available, starting with the PII 233 and ending with the PII 350. The Intel-manufactured SE440BX-2 ATX motherboard in the 520 can support any Slot1 processor from the Celeron Covington, Celeron Mendocino, Pentium II Klamath, Pentium II Deschutes, and the Pentium III Katmai families, as long as the cpu uses 2.0v core voltage and can run on a 66 or 100 MHz fsb. One may also use 133 MHz FSB cpu's, but they will run at slower speeds, for example a 933 MHz cpu for 133 MHz FSB will only run at 700 MHz. A slotket can also be used to install the newer 500 MHz - 1.1 GHz Socket 370 Pentium III Coppermine cpus, as long as the slotket provides a voltage regulator and manual bus speed selector. Using the PowerLeap PL-iP3 converter, Tualatin processors can be used. A BIOS upgrade to the latest level of the SE440-BX2 is required. Using the bus-speed settings on the Powerleap, speeds of 1.6 GHz are possible.
The PIX 520 rev A firewalls may use the Intel AL440LX motherboard instead of the SE440BX-2. The AL440LX may be replaced by a SE440BX-2 motherboard, which is found in the 520 rev B.
Cannot be easily upgraded, due to clearance issues with the top cover.
In early 2005, Cisco indicated that PIX OS 7.x would only support the 515, 515e, 525, and 535, while a "stripped-down" version would eventually be released for the 501 and 506e. While not officially supported, it is actually possible to update the 506E to 7.x code by removing all GUI management software.
The maximum OS version one can run with a 512KB card is 4.2(2). The maximum OS version one can run with a 2MB card is 5.1(x). The maximum OS version with a 16MB card is 6.3(5), unless one is using a PIX 535. OS version 5.2(4) and higher explicitly does not support the Intel 440FX chipset.
Shows flash chips on the 2 MB flash card versus the chips on the 16 MB flash card.
Various models of the 525 use different flash chips, probably due to differing production runs.
Shows flash chips on the 512KB flash card versus the chips on the 2 MB flash card.
While the PIX 535 boots off of the same ISA flash card as some PIX 510's and 520's (the PIX-FLASH-16MB) its newer on-board PIX BIOS (version 4.x) overrides the PIX BIOS on the flash card (version 3.6) at boot.
Since both the 510 and 520 have standard ATX motherboards, the PCI slot count can be higher or lower than the default if the motherboard is replaced with a different one.
The performance figures cited here are highly changeable, as one can upgrade the CPU in the PIX 520 to a 1 GHz Pentium III, which will considerably increase its throughput in all of the below categories, putting it on a level with the 525 and 535.
According to a 2000 field notice, due to a "procedural error", PIX 525's with serial numbers 44480380055 through 44480480044 were manufactured with erroneous or omitted EEPROM programming in their 82559 chips that caused the onboard FastEthernet ports to behave erratically when set to full-duplex. Starting with PIX OS 5.3.1, the "eeprom update" command will reprogram the defective data and restore normal operation permanently. Viewing the field notice requires registration

Most, if not all, 525's in use today within that range have likely been corrected, but an unused or unopened unit within that range would still need the corrective action to be taken.
It is theoretically possible to upgrade the Socket 8 Pentium Pro processor in the PIX Classic and 10000 with either an Intel Pentium II Overdrive (300 or 333 MHz depending on the system bus speed)

or a Powerleap PL-Pro/II Celeron adapter

, both of which are long out of production. The Powerleap adapter natively can allow use of a 300 - 533 MHz Mendocino Celeron PPGA processor. Coupled with the Powerleap Neo S370 FC-to-PPG adapter, one can use a 533 - 766 MHz FC-PGA Coppermine-128 Celeron processor. However, the 60 or 66 MHz bus (no 100 MHz bus) and 72-pin SIMM memory limitations of the workstation-style 440FX board used limit the potential gains in performance to be had from such upgrades. Upgrading the motherboard to a compatible server-style 440FX board with DIMM slots may allow for the use of the 440FX chipset's theoretical limit of 1 GB of RAM, although if the motherboard is to be replaced, it may arguably be more cost-efficient to upgrade to a SE440BX-2 motherboard with a slocket and Tualatin Celeron CPU. It is also worthwhile to note that PIX OS later than 5.3.4 explicitly does not support the 440FX chipset.
The PIX 525 is known to come with a variety of processors including 1.65V 600MHz (SL3VH) and 1.75V 600MHz (SL5BT). It would appear that all 1.65V to 1.75V 100MHz FSB CPUs would work, this has been substantiated to 1000MHz with a SL5QV 1.75V CPU.
The first PIX Classics did not support failover. Only after this feature debuted with the LocalDirector did it come to be included in the later PIX Classics.
At least one person has successfully replaced the 506E's Celeron 300Mhz/66Mhz FSB with a Pentium III 600Mhz/133Mhz FSB CPU; Giving close to 525 specifications.