PIX 506e

Hello - We are considering this firewall to go behind our Cisco 1600 router which handles our T1. We have several public IPs which are mapped to internal NATed addresses, as well as port maps. We basically have a few webservers, an email server, allow ssh to one machine, ftp to another, etc.

I have a few questions before buying the 506e:

Can it do NAT?

Can it handle mapping/portmapping our public IPs to private ones, assuming it can do NAT?

Can I configure this via a web interface, or must I use the CLI (and commands) to do the above config; or can I generate the config via some software program?

Can I have an additional router behind the firewall (which itself is behind the Cisco 1600 router) and assign this new router one of my public IPs, and that router does its own NAT and portmapping?

Does the fact that there are only two interfaces make any of this difficult?

Will it do DHCP?

The reason we are wanting a firewall (aside from being able to control it ourself, and for the other benefits) is to see if we can gain better insight into some network problems we are having (mainly spikes in bandwidth, in and out, and it maxing it out), does the 506e have robust logging, to help determine the source and destination addresses/ports of the problematic traffic?

Do the DDoS and flood thwarting capabilities work?

Would the lower-end 501 be capable of all this? I have heard it is a bit slower in many respects, including VPN encryption/decryption.

Thanks for any info., s7

Reply to
starman7
Loading thread data ...

Forgot to mention - size of network is about 50 users, about 100 devices with IP addresses, and a VOIP link to a remote location.

Reply to
starman7

The short answer is: CISCO PIX CAN DO EVERYTHING YOU LISTED.

If you are not planning to have a separate DMZ network (for example, for a public server), Cisco PIX506 is good choice for you. Theoretically you can use a PIX501 and you will not see a difference in the performance, but the list price of unrestricted PIX501 is just about $400 less than the price of PIX506. Here is a link to all features of PIX506:

formatting link
Good luck,

Mike

formatting link

Reply to
CiscoHeadsetAdapter.com

formatting link

Thanks for the info Mike. Can you clarify a little: When you say if we are not planning a DMZ network for a public server, is this something the 506 cannot do? Is a DMZ different than a vlan, can't this firewall do those? Which firewall will do DMZs? Is the logging good enough to see specific IPs source and destination, are the DDoS and flooding controls adequate? You imply the 501 may be a better choice for us? I usually like to go for a 'more than we need' approach, so what does the

506 do the 501 can't -is it VPN related?

Thanks again, s7

Reply to
starman7

To avoid future confusion, it is best to consistantly refer to the "506e" rather than the "506". The "506" has the same capabilities (so far) but it is slower with lower memory limits than the 506e.

DMZ is -usually- done by seperate physical interface. You can also do it by VLAN, if you have a WAN router than can do VLANs. There is some additional risk in doing DMZ by VLAN, as there is the possibility of "VLAN hopping attacks".

In the PIX series, the 501 and 506 and 506E are fixed configuration devices that cannot have additional physical interfaces, and all the other PIX series can have them.

In the PIX 5xx series, the 501 and 510 cannot do VLANs, and the

506 and 506E need PIX 6.3(3) or later to do VLANs; the 515, 515E, 520, 525, and 535 need 6.3(1) or later.

Yes, but there is no interactive method to really get a handle on what traffic is going where *now*.

There are no DDoS controls. There are DoS controls that apply equally to Distributed and single-source attacks. You must, though, be realistic: if you are being DDoS'd then your WAN pipe is probably filling up and nothing you can do at your firewall is going to be able to solve that.

Also be aware that the PIX is not really an IDS device. It has some IDS capabilities, but if you have reason to expect that you might be DDoS'd, then you should probably be running an IDS (or IPS, Intrusion Prevention System) as well -- and you should be considering the Cisco ASA 5500 series instead of the PIX.

The 506/506e offers:

- larger memory

- larger DHCP pool (though same size as 501 Unrestricted)

- turbo ACL support

- manual configuration of SA (Security Assocations) -- not a feature that is used very much

- OSPF

- Two 802.1Q VLANs

- more VPN peers

- faster, faster encryption

- no limit on the number of inside hosts

The 501 has 3 possible licenses. The default allows only 10 simultaneous inside hosts to talk to the outside; the second license is 50, the third is unrestricted.

Reply to
Walter Roberson

The standard warning I give here is that if you think you might be asking questions configuring PIX here, then you had best learn the CLI (possibly in addition to the GUI.) The answers here are almost always in terms of the CLI. The people who answer questions here generally don't have time to figure out and write down the long sequence of menu items and drop-boxes that are needed in the GUI to configure things that take only a few lines in the CLI.

If that is your main purpose then just configure your 1600 to SPAN or RSPAN the traffic off to a computer that is running a network analysis program. PIX are not designed to be able to correlate traffic spikes and particular traffic. You can do it to some extent, but the PIX is designed for security not for volume control.

Reply to
Walter Roberson

Walter, Thanks for those insights. For the record, I have ordered the

506e for $797.00 but can return it. The ASAs are much more $$$ correct? We can't afford a lot more than the 506e.

When you say:

can this computer be on a switch behind the 1600 with everything else, or does it have to be before the switch (on a hub), or itself have two interfaces, the other connecting to the switch (where the lan lives)?

I have used the CLI and prefer it at times, but am not an expert. So was hoping to be able to do the majority of configuration via a nice dumb web interface. Though I wouldn't expect to ask or receive much help using it.

Aside from doing NAT, and handling DHCP, host and portmapping our public IPs to private/internal ones, and a possible VPN, what functionality in the 506e is additional to the 1600 router (which can't seem to determine or log specific address/interface info, accoridng to our provider who controls it)? Is it just the logging?

We have 2 catalyst 2950 switches which sometimes provide clues to traffic spikes, and themselves have port flooding controls... Was also considering a proxy server to log traffic.

What sort of provision in the 506e would I make to assign a public IP to a router behind the 506e, is it a simple thing to do?

I appreciate your help!, s7

Reply to
starman7

You can always use PDM (PIX Device Manager). It is a GUI that can replace the CLI.

Regards, Pedro Pereira

Reply to
pmachete

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.