Cisco PIX 501 and 506 VPN Clients
The following two PIX Firewall models are commonly used as VPN clients:
■ PIX 501
■ PIX 506/506E
The PIX 501 delivers enterprise-class security for small offices and telecommuters. For small
offices with always-on broadband connections, the PIX 501 provides security functionality,
numerous networking features, and powerful remote management capabilities in a compact
single-box solution.
Up to four individual systems can share a single broadband connection, using the integrated
four-port auto-sensing, auto MDIX switch for the inside interface. Like the Hardware Client,
this switch eliminates the need for crossover cables when connecting a device to a port. The
Ethernet ports support 10/100BASE-T (100BASE-T with the 6.3 software release). The PIX
501 also provides a RS-232 console port interface (RJ-45 connector and 9600 baud).
The PIX 506/506E enables companies to utilize the power of the Internet to enable users to
work remotely from home securely. It delivers full firewall protection in conjunction with
IPSec and VPN functionality. Connecting simultaneously with up to 25 VPN peers, the PIX
506/506E provides a complete implementation of IPSec standards. It comes with two
integrated 10/100BASE-T (100BASE-T with the 6.3 software release) ports in a compact
platform (8 inches by 12 inches by 1.7 inches). Updates to image files are downloaded using
the Trivial File Transfer Protocol (TFTP).
NOTE Both Hardware Client models have one public Ethernet interface. The difference
between the two Hardware Clients is that the 8E has eight private 10/100BASE-T ports
instead of only one. These eight ports utilize auto Medium Dependent Interface Crossover
(MDIX) technology that eliminates the need for crossover cables when connecting a device
to a port.
Overview of Easy VPN Remote Feature 407
Cisco Easy VPN Remote Router Clients
To provide a comprehensive solution, Cisco Easy VPN also supports several router-based
clients. You can use the following router platforms as Cisco Easy VPN remote clients:
■ Cisco 800 Series routers (806, 826, 827,828)
■ Cisco 900 Series routers (uBR905, uBR925)
■ Cisco 1700 Series routers (1710, 1720, 1721, 1750, 1751, 1760)
Cable modems, xDSL routers, and other forms of broadband access provide Internet access,
but many situations require VPN connections to secure data that traverses the Internet.
Establishing a VPN connection between two VPN endpoints, however, can be complicated
because it usually requires coordination between administrators to perform the tedious tasks
necessary to define the connection parameters.
Cisco Easy VPN Remote eliminates most of the tedious work by implementing the Cisco
VPN Client protocol. This protocol allows many of the VPN parameters to be configured on
the access server. Once the access server is configured, the additional configuration on the
VPN Client is minimal. When the IPSec client initiates the VPN connection, the VPN remote
access server pushes the required IPSec policies to the IPSec client and creates the
corresponding IPSec tunnel.
Easy VPN Remote Connection Process
When the Easy VPN Remote Client initiates a connection with the Easy VPN Server gateway,
the interaction between the peers involves the following major steps:
Step 1 VPN Client initiates the IKE phase 1 process.
Step 2 VPN Client negotiates an IKE SA.
Step 3 Easy VPN Server accepts the SA proposal.
Step 4 Easy VPN Server initiates a username/password challenge.
Step 5 Mode configuration process is initiated.
Step 6 IKE quick mode completes the connection.
NOTE Before software release 6.3, the Ethernet ports on the PIX 501 and 506/506E were
10BASE-T. After upgrading to the 6.3 software release on either the PIX 501 or 506/506E,
these ports become 10/100BASE-T ports. This speed enhancement is accomplished strictly
by a software update (no hardware upgrades are necessary).