Cisco Pix 501

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Afternoon all!

I'm going through the CCNA Security at the moment, and I'm really starting to get interested in Firewalls etc

The FIREWALL and IPS course are on the future roadmap anyway, but since ASA's are a bit out of my budget I was looking at the Cisco PIX range.

Browsing through eBay, the PIX 501 is quite affordable so I'm considering picking one up for home/lab use. My home network could use some hardening anyway

Some questions come to mind, though:

- What's the best way to learn the PIX CLI (Books, sites, CBT's, ...)?
- How would this be implemented behind a DSL Router that is performing NAT? I have a Cisco 857 as a DSL modem but the 501 cannot be used as a transparent firewall... Would I configure a transit VLAN, configure the router in bridged mode, or how would I go about this?

Hoping someone can give me some insight on this

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

The Cisco PIX 501 must be doing the NAT for you, this leaves you with two options:

Option A - this requires two public IP Addresses's from your ISP, configure the Cisco 857 in No NAT mode with IP Un numbered on the Dialer0 interface and a static public IP on one of the Ethernet ports. On the PIX configure the WAN to be on the same public IP address as the Cisco 857 and then the LAN as per normal.

Option B - you only have one public IP Address from your ISP, then you need to bin the Cisco 857 and purchase a ADSL Modem, something like the Draytek 120. This then just makes a connection to the internet and passes the IP across to the PIX using an Ethernet cable.

Option A is what you would commonly see in the enterprise.

 

Hi Simonvm,
If your looking at doing CCNP Sec, I'd suggest save up for the ASA5505. I've got a pix 515e running 8.0.3 and found some stuff frustrating as the exams hovers around 8.2 and there are some differences. I'm taking the FW exam today, but afterwards I'm still planning saving up to get a 5505 to run at home. Also the 5505 will support the IPS module you'll need in for the IPS exam (and thats bloody expensive!!).
If you decide on a bigger pix, then I'd ensure you research the licenses, its quite easy to pick up a "failover only" instead of the propper pix! I made this mistake and everytime you boot you need to issue it a " failover active" over the console before it will pass traffic, then it reboots every ~24hrs
Hope this helps you chap!
Happy studies,
Rich

 

Thanks Craigie. Unfortunately I'm just a regular DSL user, so no Static IP's I do have a Zyxel ADSL modem laying around which I've used in Bridged mode before so that might be a viable option.
Thanks for making this one clear!

Rich

Don't know when I'll be ready for the CCNP Security track - There's some other content I have to tackle first.
But we have quite the Cisco stock at work, some 5505's and 5510's laying around which we can use.
There's some sites which will get some VLAN's behind the ASA's in the near future so I'll get some hands-on there too... But thanks for the info!

For home use I think the Pix 501 should be enough. My DSL modem is under the TV so it should be as quiet as possible

 

I agree with Rich165 as you would be better saving your shekels for an ASA5505 or better.

I have given up on PIX lately as the tech is getting dated and there are restrictions in what you can do.

For instance one of the lower offerings makes it impossible to route two class C and class A private addresses through a pair interfaces. The WAN interface is the WAN interface and cannot be monkeyed with to my satisfaction.

I also like the Drayteks so that is the next cab off the rank for me...