1 edit |
[Info] Cisco Firewall Learning -ASA?What's the product being used out there as sorta an industry standard with Cisco? ASA? I know the Pix is retired correct? What's the best to learn on, spending under $100-150 ? I'm guessing not an ASA. Is the Pix a good place to start?
Also on another thought...does anyone know any budget routers 0-$150 that have 3 FE ports instead of the typical 2?
Thanks in advance |
|
|
There is this thread that you can go through to I believe answer some of your questions. » Cisco 871 speed limitationsInstead of having 3-port router, how about Layer-3 switch with 24 routing ports? I think we covered this on your Catalyst switch recommendation thread |
|
|
I have a layer 3 already. I guess I'm looking to expand or complicate my setup a little bit more. Gives me a little more real world scenario experience with more devices in the mix.
I have a diagram I made with a layout I was thinking to follow. That's why I'm asking... |
|
|
aryoba
MVM
2014-Jan-7 11:07 am
For most routing scenarios, Layer-3 switches should do the job. Of those that Layer-3 switches cannot (or perhaps should not) do such as NAT or MPLS/VPLS features, router or firewall might be better fit.
That aside, you may want to have something like 1811 or 1812 routers. These routers should be about the same price or cheaper than 1841 router, and have 8 route/switch ports in addition to the regular 2 route ports. |
|
|
to chugger93
said by chugger93:What's the product being used out there as sorta an industry standard with Cisco? ASA? Truth to tell, in the Security arena, ABC -- Anything But Cisco. Seriously... said by chugger93:I know the Pix is retired correct? What's the best to learn on, spending under $100-150 ? I'm guessing not an ASA. Is the Pix a good place to start? "Depends what you want to learn," would be my honest response. Remember that ASA / PIX is in the SECURITY arena, and have a different mindset than IOS / ISR routers, and for Catalyst switches. Answer the question above, and you'll get a better insight as to what equipment to aim for. My 00000010bits Regards |
|
|
Original Idea | Maybe Better Idea |
The reason I was asking about the 3 nics in router option was because ideally I was thinking of using my switches just as layer 2 devices. How my network is currently setup, my home network has to traverse the firewall to get to the cisco lab ( first picture, but there isn't 3 nics...I'm using procurve vlanning for connectivity). Is this a common practice? I dunno..but it seems to be for security reasons. My other idea was to put a router inside before the firewall (second picture) so the UTM would never be traversed. The only drawback again with this layout is if I make changes to the Cisco, it could take down my home network as well. Yes I make things complicated...maybe its because I'm a newbie at this stuff |
|
|
|
to HELLFIRE
said by HELLFIRE:said by chugger93:What's the product being used out there as sorta an industry standard with Cisco? ASA? Truth to tell, in the Security arena, ABC -- Anything But Cisco. Seriously... In addition to Cisco, Juniper is another big player. In some places; Palo Alto, Checkpoint, F5, and Riverbed are implemented. Knowing all of these will definitely put anyone in a map of network security |
|
aryoba |
to chugger93
Both network designs as depicted in pictures are standard practice in lots of places. It all depends on how you define your security zones and how stable the network you wish to be.
If it is challenging to add 3rd NIC into your Astaro, then you may have to have the 2nd network design instead of the 1st. With the 2nd design, you have to make sure that the 1811 (or 1841 with additional Ethernet ports) will not be part of your lab. The 1811 instead will be part of your production network. |
|
|
Thanks. Its not challenging. I've already purchased the 3rd nic and plan on rebuilding the UTM box this weekend. Then I will configure my network per diagram 1.
I also found a cisco 2950 Catalyst 12 port switch (brand new) for $35 I was gonna go pickup from craigslist. Then I will be all set! |
|
|
to chugger93
@ aryoba Wait, Wait, Wait... forgot Da Geek Kid 's favorite -- Fortinet. If you really want to know who's in the enterprise level market, I'd suggest looking over this graphic if you're that interested. Best of luck rebuilding the Astaro, and let us know if you get an answer to the question posed Regards |
|
|
aryoba
MVM
2014-Jan-10 10:18 am
said by HELLFIRE:@ aryoba Wait, Wait, Wait... forgot Da Geek Kid 's favorite -- Fortinet. In rare cases, large companies looking for "cheap solution" to serve their managed (cloud) firewall such as AT&T deploy Fortinet. Large financial services such as exchanges, big banks, and big investment companies usually employ Cisco and Juniper in addition to F5, Riverbed, and some Checkpoint. Palo Alto is new comer, which came from Netscreen (and then Juniper); which was why the CLI look and feel is like JUNOS. Some neat stuff Palo Alto introduces are fancier detections and inspections, at the cost of customers' pocket (read: more expensive than Cisco and Juniper) unfortunately |
|
|
I've seen a few Palo Alto webinars... and I'd LOVE to get one for my home lab. Pricewise, know about what the going rate is these days, aryoba ? Regards |
|
|
aryoba
MVM
2014-Jan-11 8:31 am
Your best friend for price quote is ebay |
|
Wily_One Premium Member join:2002-11-24 San Jose, CA |
to HELLFIRE
said by HELLFIRE:Truth to tell, in the Security arena, ABC -- Anything But Cisco. Seriously... I know, we use mostly Juniper in my company. But along the lines of the OP's question, I was thinking of going for CCNA Security to extend my CCNA when it gets close to expiring. In that context I believe the "Cisco way" is still the ASA, right? |
|
|
See almost exclusively Junipers where I am, as well.
One or two pockets use Cisco ISR with reflexive ACLs.
I've seen one or two PIX-SMs kicking around as well... and I DREAD troubleshooting on them as I don't have a nice central management tool like NSM to manage them... tho I wouldn't say NSM is God's gift to us IT monkeys in the trenches...
Regards |
|
·Frontier FiberOp..
|
to Wily_One
said by Wily_One: But along the lines of the OP's question, I was thinking of going for CCNA Security to extend my CCNA when it gets close to expiring. In that context I believe the "Cisco way" is still the ASA, right? I'm working on this as well. The Cisco Press books discuss ASA in some of the chapters, but it looks like one can get away with learning on IOS to pass the test. I will soon find out when I take the test though. |
|