• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

PIX 501 vs. 506 Throughput and network layout

M

MysticLlama

Golden Member
I'm not up to date with the latest specs, so I'm trying to figure out the most cost-effective way to do this that will still work well.

General layout:

I'm going to have the following servers
2 Webservers
1 Database Server
1 Integration Server
1 Domain Controller

These will be hosted offsite at a host facility.

In my current system I use a PIX 501 on one set of adapters and 3DES VPN to the main office for connectivity, and an F5 Big-IP load balancer on the front end to serve clients.

The Big-IP will not be used in the new system, it will just use Windows NLB instead.

I'd like to use a single firewall to both protect the systems as well as build the tunnel to the main office for file deployment/replication/administration. I'm not sure how feasible this is.

The 501s that I've had for some time will do 6mb of 3DES traffic. The office is going to have 4 T1 lines, so this 6mb could be saturated at night during a content load, which seems like it would choke the firewall from servicing web clients.

Current web traffic across all systems is about 5-6mb max right now, and we'll be eliminating all of the current stuff and consolidating to this system. I'd anticipate that with performance, design, and marketing improvements planned that we'd be up to the 10-12mb range within 18 months.

A PIX 501 could do the web traffic side fine without encryption, and a second one would be able to handle the tunnel to the office, but it might be nice to use a single more powerful piece of equipment if possible.

I guess the better solution would be a 515 with the 2 webservers in the DMZ, the other three on the inside port, and the VPN available to all of them for a little more protection?

Thoughts, opinions, better ideas completely?
 
with the amount of traffic and future growth, I would use at least a pix506 ( or the new asa5505), but preferably a pix 515.
With either of these hardware you can have a dmz to put your webservers and keep your dc and database server on the internal network.
asa5505 or pix515 should have enough horspower for 3des traffic to meet your future growth.
 
I haven't seen a 506 with a separate DMZ, I'll have to look for that just out of curiosity.

The 515 may be the way to go, it'll just take approval to bump the budget a little bit. The software side has gone way over, so we're trying to be conservative with the hardware, within reason, and without shooting ourselves in the foot.

The only thing I have against the 515 scenario is that I'm getting close to the price range of a new device like a Big-IP, and I already have the 501 for the tunnel end, which makes me wonder about other options.

The problem with the current Big-IP is that it's on a blade server, and I won't get any credit towards hardware when shutting down that license unfortunately.

I'll look into the asa5505, I'm assuming I can terminate a tunnel from it on the office 515, just as if I used another PIX up there since it's pretty standard VPN wise.
 
MysticLlama, if you really want Cisco, look at the ISRs like the 18xx series. The 501, 506, and 515 are pretty much dead.
 
Okay, will check out those too.

Not dead set on Cisco per se, I just currently have a 515 at the main office, and a few remote 501s, so I'd like to stay with stuff that will work together without too much of an issue, and retain some of the investment in hardware, training, and deployment time if possible.
 
If I am not mistaken, PIX 506E with pixos 6.3+ have vlan capabilities for DMZ.
Some ppl I know hates the ideas of vlan for DMZ, and prefer having a dedicated interface for it. If that is the case than you are limited to
although I kinda agree with cmetz on using cisco ISR, I still think cisco pix has lots more features compared to cisco router with fw ios.
the asa is basically a newer vesion of pix with much more powerfull hardware. If your budget allow, I think the newer asa box would do exactly what you want to do and then some 🙂
 
Well, I took a look last night at some of the features you can get on an ASA, and they look quite cool.

Next step is to talk to someone in pre-sales that is more up on the tech specs to discuss if it can do a few of the other things I've come up with that I'd like to do.

First goal is to possibly use the 515 for the new web environment, and get an ASA for the main office, the other would be to get two new ASAs. Don't really have a ballpark on street price yet until I get it spec'd out how I want, but maybe I'll be able to make it work.

So thanks for the good start so far, and I'm open for any other ideas too.
 
Originally posted by: cmetz
MysticLlama, if you really want Cisco, look at the ISRs like the 18xx series. The 501, 506, and 515 are pretty much dead.
Click to expand...
You are right that PIXes are pretty much dead, but they were replaced by ASAs, not routers.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top