My home router finally died. It was a Linksys BEFSX41 which supposedly did SPI, but that model had a terrible reputation for unreliability. I am wondering if it would be practical for me to pick up a used PIX
501, which seems to have a superb reputation, but there are three "gotchas" I can think of...
I have heard the PIX require licenses -- so might a used unit refuse to do anything?
Is the setup extraordinarily complex? I set up the Linksys and don't need much, just a basic connection.
Do I need a particular 501 with particular options for an ADSL connection?
This is the tiny, entry level box of PIX. But at least better than something like the original 506. My main problems with 501's have been the power plug wiggling out of them. (happened on multiple ones, don't know why these seem to have more issues than others).
The box is licensed with a certain feature license, and as long as the license is applied and you don't wipe it out, it'll stay there. I suppose some people might wipe it, but you'll probably get the license that the box had when it was new. If you happen to get a 10-user license, its too old to upgrade any longer, you'd be stuck with a 10-user license. If you get a box without a license, its a boat-anchor, so I suppose most people wouldn't go to the extraordinary steps of wiping the license.
As I am want to do, I usually push people away from PIXs, even though this is a Cisco group. I'd look for a used Fortigate 50A or 50B instead of a 501. Quite well working GUI, just as reliable. No license hassle, better performance, more features, etc.
Do you like command-line configuration? Does configuration like
255.255.255.255 0 0 access-list inbound permit tcp any any eq www access-list inbound permit tcp any any eq smtp access-list inbound permit tcp any any eq domain
scare you?
There is a GUI. I'd state that you'd be pretty hard pressed to find the magic version of ancient Java on a particular old OS that might actually be able to run it.
As long as your ADSL modem takes care of all the ADSL bits without anything else, then no. If you need to do something like PPPoE, you'll need at least 6.2 of the OS to do PPPoE in the PIX. Either way, you'd still need your ADSL modem in place.
I've had fortigate/Netscreen/Juniper/Cisco uptime all measured in years. They all just keep going until I need to do a software update or whatever.
Other kinds that I've had to manage, not so much (ie. Sonicwall, Watchguard).
Almost all firewalls have ethernet in, ethernet out. As long as your ADSL box terminates out to ethernet, it should be fine. In general, there aren't many firewalls with WAN ports like T1, especially not in a small box like the 501, usually you are paying quite handsomely for that kind of box.
Well, a lot of used units I see for sale look like the result of bankruptcy liquidations. Often they don't even have the power supply. I would worry that the admin password would be locked.
Password recovery on all three vendors I mention above is somewhat easy.
Netscreen/SSG enter the serial # for both username/password on the console port.
PIX requires you to download the password recovery from CCO (or somebody you know that has access), and netboot off that image and it'll wipe the password.
Fortigate is simular to the Netscreen, login on the console port with 'maintainer' & 'bcpb'. There's one other pattern for older Fortigate, but you can google those.
Sure, those boxes worked well, they are everywhere, I still have a few in production. The GUI is okay, a few browsers choke on it. No new software updates for them, but that doesn't sound like its a factor in your plans.
So, with a unit like that is there anything particularly useful that can be done with the added flexibility? I mean compared to a simple unit like my old Linksys?
It depends quite alot on what you want to do. Ie. you have alot more flexibility, but unless you need it, it'll mainly sit there.
One thing that I find much nicer with this class would be that protocols like FTP work cleanly without having to do some tricks that is sometimes needed.
Doing VOIP calls with SIP and H.323 would work that just isn't going to function well with the Linksys.
And of course, it'll be more stable. I'm sure I have one with uptime greater than 18-24 months.
Hmmmm.... can't log into console port or telnet port either. Tried both netscreen and serial number. Also tried the reset button. Current bootup looks like this...
NetScreen NS-5GT Boot Loader Version 2.1.0 (Checksum: 61D07DA5) Copyright (c) 1997-2003 NetScreen Technologies, Inc. Total physical memory: 128MB Test - Pass Initialization.... Done Hit any key to run loader Hit any key to run loader Hit any key to run loader Hit any key to run loader Loading default system image from on-board flash disk...00%..23%..54%..
Juniper Networks, Inc NS-5GT System Software Copyright, 1997-2004
Version 5.1.0r1.0 Load Manufacture Information ... init manufacture info Done Load NVRAM Information ... (5.1.0)Done Install module init vectors allocating 33558528 bytes for memory disk Formatting RAM disk...
Initialize FBTL.... Done Initial port mode home-work(2) Install modules (00a80000,01038788) ... load dns table : dns table file do not exist.
Initializing DI 1.1.0-ns b35efc0211001005 System config (1782 bytes) loaded . Done. Load System Configuration ........................................... ..................................................................... ......................................Done system init done.. login: System change state to Active(1)
I finally got it to allow me to log in. I guess my first reset button attempt did not complete with success. After another attempt the console reported "Configuration Erase sequence accepted, unit reset." I was then able to log in over telnet. The console port is still not responding to input although I see output there.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.