I'm implementing PIX 525 FW in my network and I have a setup as follows:
100 Mbps internet link, a web server DMZ where I have 4 web servers, an application DMZ where I have application servers, and a DB DMZ where I have my DB servers.
I'm expecting a heavy network and the number of users accessing my applications can reach 50,000 users and even more in the future. Based on this info, do you think might I have any problems related to scalability? Do you think that the built-in RAM which is 256 MB will give good performance results or do you think I might need to upgarde my RAM?
Also, regarding RAM is the only way to upgrade RAM is by requesting this from the manufacturer, or can I do that by myself?
With default specs (UR - 256RAM), PIX525 can handle 280,000 concurrent connections with 330Mbps cleartext throughtput. It should be able to handle 50,000 users (concurrent?), but in terms of the performance, it can be affected by other factors, such as the performance of your servers, internet link performance and so on.
However, since you are expecting 50,000 of users or more, it sounds like you are having a critical systems/services. Maybe you should consider to put another PIX525 (similar specs) for redundancy.
As for the RAM, I think you need to get it from Cisco, which is more reliable and tested to be working fine with PIX. Even if you managed to do it on your own, you may not be able to get help from Cisco if you hit a problem related to RAM upgrade.
Yea the 50,000 users will be concurrent, and I'm even expecting this number to increase within the coming 2-3 years as these application are vey active e-trade applications.
Do you have an idea whether each user will open one connection only or whether a single user can open multiple connections with the server at a certain time? The other point, don't you think also that since my different types of servers are in different DMZs then I might reach the maximum number of sessions allowed, assuming I have 4 web servers, 8 application servers and 8 DB servers?
From my experience, 1 user can have single or multiple connections to server, depending on the applications. Does your e-trade applications linked to another server/application that will result in opening another separate session (e.g pop-up another IE session)?
PIX's concurrent session limit is counted based on active sessions collected from all interfaces.
BTW, how many PIX525 you have right now? I think active-active Firewall setup could be the best solution if your application permits more than 1 connection per user. This will double your concurrent sessions capacity.
Yes my web servers are connected to application servers that might result in opening pop-ups and new sessions with the applications. I only have one 525 so I cannot deploy them in Active-Active plus I know Cisco has alot of weaknesses in their Active-Active why I dont want to go with this option.
I'm just concerned that the 280,000 maximum sessions capability of the 525 FW will scale on my environment. Just want a base to do my calculations on.
I agree with the active-active state, as it was actually doing some sort of load balance access, e.g if you have 2 vlans:
- vlan 100: PIX#1 active fw, PIX#2 standby fw
- vlan 102: PIX#2 active fw, PIX#1 standby fw
As for the scalability for 280K concurrent, I am not sure what is the best way to calculate it, but probably you need to assume that in normal access, 1 client will use 1 session = 280,000 concurrent clients access , or worst case scenario, 1 client will hog 5 sessions = 56,000 simultaneous client access.
Anyway, you could try to maintain this box until its really hit the max supported sessions, then probably upgrade it to PIX535. There are few options to choose.
Anyway, I have a customer who predict 10,000 clients (min. eq 10,000 simultaneous sessions) will access their servers in DMZ, but at any given time, max simultaneous sessions hardly hit 5,000 as clients are accessing it in different time/period.
Thanks AK for your response, that's fine in terms of utilization from the public users side, but what about the sessions that the web servers will open with the application servers, and the ones that the application servers will open with the DB servers; I'm concerned that this might badly affect the concurrent users I could have at the same time?
Don't forget that I have all of my servers connected to the same firewall but each group of them is in different zone!
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...