The Cisco PIX Series has been "the" well known and powerful firewall appliance of the last decade - and for some people, this decade ain't over yet.
Cisco has released the successor "ASA" some years ago, but many people still got a PIX running.
Reasons are simple: The PIX Series has an Appliance for every problem and is rock solid.
My personal experience with that Firewall Series started with a "burned out" PIX 520 (that one is getting its own entry soon ^^).
After that, I got more into Security by doing my CCNA Security studies.
While doing the CCNAS I also bought the smallest PIX, the PIX 501 from Ebay for 70€ or so.
Sometime later, I discovered an dead PIX 506e in my Office - and I just couldn't help myself and started taking it apart.
Shortly after disassembling I stumbeled upon this Blog: http://hackaday.com/2008/09/28/upgrading-the-cisco-pix-506e/
And that looked very promissing.
Cisco started upgrading some PIX Appliances with new Software Versions.
6.3.5 was the last "PIX" Software. After that, Version 7 and Version 8 were "ASA".
( While 7 was more some kind of bridge version, at least it feels like it... )
Neither my 501,520 or the 506e do run 7.x or 8.x - at least thats what Cisco does say.
Problem is the amount of memory onboard: 501 and 506e only got 8 MB of Flash - not upgradable.
The 520 got 2 or 16 MB Flash - but ain't supported. Another problem is the amount of RAM and CPU.
So.. I did start on these problems.
First thing after opening the 506e was exchanging the CMOS Battery.
Seriously, I felt as that this PIX was always crashing because of some dead battery.
At least, it give me a better feeling having that thing loaded up again.
After that, I was looking for the RAM: SDRAM, 100 MHz FSB.
I looked through the inventory and found 2 bars, each 256 MB, 133 MHz.
Maybe not the best idea, the 506e is only going on 100 MHz, but worth a try.
And - it did work. So, we got the 32 MB replaced by 512 MB.
I think that should be... enough.
RAM is done, Battery replaced, but what about the CPU?
Good Question!
The 506e is running on an 300 MHz Pentium 2 Celeron (SL36A, Mendocino Core, 128 KByte L2, 2V) - not really much.
So I was looking around again and found an awesome 1 GHz Pentium 3 (SL4C8, Coppermine, 256 KByte L2, 1.7V).
After pluging in and testing I found out that this thing was really working. Problem were the 133 MHz FSB - so the CPU did only run with 750 MHz - more than enough!
I was seriously happy, but a problem was coming up: Heat.
The PIX 506e enclosing is really badly build: The CPU Cooler is just sitting some milimeters under the hood, not ventilationholes anywhere except at the end of the case. You can even see some dust burned into the case inlay above the cpu cooler... "nice". So - the new CPU would be really too much for this case. And my idea was correct: Some minutes after closing the case and running the firewall - the CPU got shutdown because of thermal problems. Ok! What to do now? Well - solution was easy: Just cut out the steel enclosing above the CPU Cooler, get some special cloth above it - so nobody would touch in - and close the case. Problem solved.
The next question came up: Well, what does that "little tweaking" really did to the firewall?
Solution to that: Benchmark!
I fired up iperf / jperf with following command:
bin/iperf.exe -c SERVERIP -P 4 -i 20 -p 5001 -w 512.0k -l 512.0k -f m -t 3600
1 Hours, special Packet Size, 4 Parallel Threads. That should "burn-in"....
...and it did: After 20 Minutes with really superior performance ( CPU on 10% by delivering 92 MBit/s! ) the CPU died.
And the powersupply? Well - felt like on fire, too. Damn.
So, the CPU seemed to be too much for the little firewall...
But I didn't wanted to stop there.
The next burn in with the old CPU took place.
Everything was fine, nothing was hurt except the dead CPU.
The firewall was running hour on hour smooth with 100% Network Stress.
( With the 300 MHz CPU, the PIX was already working above 40%... well,... not as good )
Ok.
After stumbeling around in my cases, I finally found the best CPU I came up with at the moment:
SL3XY, Coppermine, 256 KByte L2, 1,65V - an Pentium 3 with 733 MHz.
And I didn't even knew wheter that thing was still working.
I really thought I fried it already some years earlier...
Well, it seemed like... not!
In the end, the Firewall did work at 550 MHz ( 133 MHz FSB aswell... ) for over 4 hours,
26% CPU Load - nice! I think thats ok (The power supply also stayed reasonably cold).
The last thing I did was installing an passiv Heatsink on the AGP Chipset of the PIX.
It was getting hot for no reason... So.... some better cooling than the naked Chip itself is always nice...
So - that was the Hardware. But what about the PIX OS?
Mh...
Next Post 😉
Wow! I am working with these antiquated firewalls and running into performance issues when we really push them . found this article to be really fascinating and I am going to try my hand at doing an upgrade. thanks for writing this.
Hi Nico,
Mine has an SL52R (1000/256/133/1.75V). It runs at 746MHz due to the 100/133MHz difference. A sh ver gives:
Hardware: PIX-506E, 128 MB RAM, CPU Pentium III 746 MHz
I'm yet to put in 512MB of RAM as I'm yet to hunt down some 25mm high SIMMs. Anything bigger and you can't put the lid on. We're still on ADSL2 so max download speed is around 2MB/s and the old PIX506e still manages to keep up.
Matt.