1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cisco Pix 501

Discussion in 'Network Security' started by Simonvm, Oct 27, 2011.

  1. Simonvm

    Simonvm Kilobyte Poster

    Afternoon all!

    I'm going through the CCNA Security at the moment, and I'm really starting to get interested in Firewalls etc :)

    The FIREWALL and IPS course are on the future roadmap anyway, but since ASA's are a bit out of my budget I was looking at the Cisco PIX range.

    Browsing through eBay, the PIX 501 is quite affordable so I'm considering picking one up for home/lab use. My home network could use some hardening anyway :twisted:

    Some questions come to mind, though:

    - What's the best way to learn the PIX CLI (Books, sites, CBT's, ...)?
    - How would this be implemented behind a DSL Router that is performing NAT? I have a Cisco 857 as a DSL modem but the 501 cannot be used as a transparent firewall... Would I configure a transit VLAN, configure the router in bridged mode, or how would I go about this?

    Hoping someone can give me some insight on this :)
    Certifications: MCITP: EST, MCDST, MCTS, A+, N+, CCNP, CCNA Wireless
  2. craigie

    craigie Terabyte Poster

    The Cisco PIX 501 must be doing the NAT for you, this leaves you with two options:

    Option A - this requires two public IP Addresses's from your ISP, configure the Cisco 857 in No NAT mode with IP Un numbered on the Dialer0 interface and a static public IP on one of the Ethernet ports. On the PIX configure the WAN to be on the same public IP address as the Cisco 857 and then the LAN as per normal.

    Option B - you only have one public IP Address from your ISP, then you need to bin the Cisco 857 and purchase a ADSL Modem, something like the Draytek 120. This then just makes a connection to the internet and passes the IP across to the PIX using an Ethernet cable.

    Option A is what you would commonly see in the enterprise.
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  3. Rich165

    Rich165 Bit Poster

    Hi Simonvm,
    If your looking at doing CCNP Sec, I'd suggest save up for the ASA5505. I've got a pix 515e running 8.0.3 and found some stuff frustrating as the exams hovers around 8.2 and there are some differences. I'm taking the FW exam today, but afterwards I'm still planning saving up to get a 5505 to run at home. Also the 5505 will support the IPS module you'll need in for the IPS exam (and thats bloody expensive!!).
    If you decide on a bigger pix, then I'd ensure you research the licenses, its quite easy to pick up a "failover only" instead of the propper pix! I made this mistake and everytime you boot you need to issue it a " failover active" over the console before it will pass traffic, then it reboots every ~24hrs :(
    Hope this helps you chap!
    Happy studies,
    Certifications: MCSE, MCITP Server 08 & Exch07, CCNA, CCNA Sec
    WIP: ...everything else!!
  4. Simonvm

    Simonvm Kilobyte Poster

    Thanks Craigie. Unfortunately I'm just a regular DSL user, so no Static IP's :( I do have a Zyxel ADSL modem laying around which I've used in Bridged mode before so that might be a viable option.
    Thanks for making this one clear! :)


    Don't know when I'll be ready for the CCNP Security track - There's some other content I have to tackle first.
    But we have quite the Cisco stock at work, some 5505's and 5510's laying around which we can use.
    There's some sites which will get some VLAN's behind the ASA's in the near future so I'll get some hands-on there too... But thanks for the info!

    For home use I think the Pix 501 should be enough. My DSL modem is under the TV so it should be as quiet as possible :)
    Certifications: MCITP: EST, MCDST, MCTS, A+, N+, CCNP, CCNA Wireless
  5. supag33k

    supag33k Kilobyte Poster

    I agree with Rich165 as you would be better saving your shekels for an ASA5505 or better.

    I have given up on PIX lately as the tech is getting dated and there are restrictions in what you can do.

    For instance one of the lower offerings makes it impossible to route two class C and class A private addresses through a pair interfaces. The WAN interface is the WAN interface and cannot be monkeyed with to my satisfaction.

    I also like the Drayteks so that is the next cab off the rank for me...
    Last edited: Nov 16, 2011
    Certifications: MCSE (NT4/2000/2003/Messaging), MCDBA
    WIP: CCNA, MCTS SQL, Exchange & Security stuff

Share This Page