| Firewalls Hi All
I was wondering if I wanted to get a cisco firewall to practice a litle which firewall should I get to start out. Pix or ASA... What model...
Any advice?
Thank you |
|
aryobaPremium,MVM
join:2002-08-22
kudos:1 | If you are talking about basic understanding and you have no experience at all with either PIX or ASA, then PIX 515E UR license should be the least what you have. When you plan to get around new features supported on OS 8.1 and later (or even new syntax on OS 8.3), then ASA 5505 Security Plus license would be a great addition to the PIX 515E UR license. |
|
| What is the diffrance between pix 515, 515E, and 515E UD?? how many devices do I need? |
|
|
|
aryobaPremium,MVM
join:2002-08-22
kudos:1 | Here is some wiki regarding those basic differences.
»en.wikipedia.org/wiki/Cisco_PIX
How many do you need? It depends on how far you want to learn. I recalled first time I learned about PIX, I only had one PIX 501 with 10 license (the lowest model). Even without failover functionality (which something that PIX with UR license supports), I learned about 80% of things in regards of PIX Firewall with just such one PIX 501. I only had to adjust a little when it came to failover functionality.
Having working a long time with older OS version (OS 6.x), I was reluctantly learning the newer version (OS 7.0) since OS 7.0 made the PIX (and ASA) looked more like a router than good-old firewall due to Cisco's intention to compete with Juniper Netscreen.
Some features that OS 7.0 supports in regards of competing with Netscreen are the concept of context (similar to virtual router in Netscreen), transparent firewall (set the firewall as Layer-2 firewall instead of Layer-3 firewall), and SSL termination. Some existing features are extended such as esmtp inspection, aaa accounting command support similar to routers and switches, and AAA protocol support to include MS Active Directory LDAP authentication.
In addition, you no longer need to run GRE over IPSec to run OSPF over IPSec. Instead you can just run OSPF over IPSec directly with newer OS version. Starting OS 8.0, there is support of EIGRP. Some syntax change starting OS 8.3. |
|
nosx
join:2004-12-27
00000
kudos:5 | If you are going to work on them professionally, get a new ASA that can run 8.3. There are changes in the order of operation and configuration of important features. Dont waste time with PIX's, they are end of lifed at this point. |
|
| reply to krock83
Depends on your budget and what you want to do. I second nosx's comments that
the PIXs are EOL / EOS, so ebay's pretty much your only source for them, and
what the seller offers is all you're going to get -- no 3DES licence, you're
SOL.
ASAs are available via 1st and 2nd hand channels and have wide support from
a retailer and from Cisco.
Regards |
|
| reply to krock83
Soo what do I need these licenses for? |
|
| reply to krock83
For the PIX: 3DES, AES (I think), increased hosts, failover functionality
For the ASA: increased hosts, more VLANs, full DMZ functionality (for the 5505 model), higher performance.
See Cisco's ASA page or check the Wikipedia page on it for the difference between Base and SecPlus.
@aryoba
I'm actually 2 timezones behind you 
Regards |
|
aryobaPremium,MVM
join:2002-08-22
kudos:1 | reply to krock83
Other firewalls you could consider to get for practise beside Cisco ASA/PIX Firewall are Juniper SRX (running JUNOS) and Netscreen (running ScreenOS). Lowest end of each model (Cisco ASA 5505, Juniper SRX 100, and Juniper SSG5) are comparable in price I believe. Each system (OS version 7/8 of Cisco ASA, JUNOS 9/10 of SRX, and ScreenOS 6 of Netscreen) has its own uniqueness although they are quite similar in many ways. Getting each of these products should help you get around firewall and networking even further comparing just PIX or ASA alone. |
|
