Cisco modem router ( external ip: xxx.xxx.xxx.248, internal ip: xxx.xxx.xxx.249) || || Subnet 255.255.255.248 V Cisco pix 501 || || V Mail server
This mail server is currently NATed where static command says all connections on port 25 for ip xxx.xxx.xxx.252 go to 192.168.1.10. Also, appropriate access-list has been setup.
I would like to change the mailserver ip to xxx.xxx.xxx.252, and have pix 501 route port 25 requests to this mail server. Does this mean I have to use up 2 more static ip's, an ip for pix's external interface and an ip for pix's internal interface? Or if you have a different way to do it, I would appreciate if you could let me know.
I would like to change the ip address of mail server from internal ip adress to public ip address.
If I am not mistaken, there is something called "transparent" firewall configuration where you are doing away with NAT and only do access- list filtering.
The outside interface is running on public address.
Not on a PIX501 you can't. They are pure NAT boxes, nothing but NAT. Even if you routed down public IPs through them, and put your internal interface on public IPs, they'd still be doing NAT internally.
The 501 doesn't support transparent mode. The ASA's running new enough code can do Transparent mode, but not the 501. With PCI-DSS requiring NAT mode firewall with private IPs anyway, and in transparent mode you need to have enough public IPs for all your systems, its not too popular of an option. Other boxes do it better, having been around alot longer supporting it, such as the Netscreen/Juniper or FortiGates.
For purposes of transparent firewall, which one would you recommend more Netscreen/Juniper or FortiGates?
I found that cisco pix 501 very descent and solid firewall. It is highly configurable and doesn't seem to break. Would you say the same about Netscreen/Juniper or FortiGates when used in transparent mode? Also, is Netscreen/Juniper or FortiGates sip aware?
I haven't used the new Juniper SRX's, so I can't say how stable they are. With Juniper's reputation, and past experience with the Netscreen and SSG boxes, they should be solid.
I've been using FortiGate for all my deployments in the past 3 years. I'd say they are the way to go, very solid and dependable. Huge range of products, so it may be hard to choose what you need, if you are talking about a 501, though, a 50B is plenty for your needs. The bigger ones might be nicer if you need more ports/zones for your network.
Definately. World apart from Sonicwall and the others in their class. Junpier and Fortinet make good products (like cisco).
Yep. SIP and H.232 are fully supported. You do have to configure things specificly to recognize these protocols, so make sure to read up on the technotes.
Meanwhile, at the comp.dcom.sys.cisco Job Justification Hearings, Doug McIntyre chose the tried and tested strategy of:
I regularly see you recommend Juniper here. Could you suggest an introductory guide to SSG that would make sense to someone who was familiar with IOS, ASA and SonicOS?
Hmm, I've probably been pushing Fortigate more often lately, having deployed them alot more in the last few years than Juniper firewall setups (although I did plenty of those in the past as well, as well as PIX deployements). Plenty of Transparent mode setups on either of the Juniper or Fortigate setups, although not too many lately.
The SSG's are all EOL'd, replaced the SRX's, which are vastly different boxes. The SSG was just another version of the Netscreen products. The SRX is when they converted everything over to JunOSse.
I don't know of any high-level comparisons without going and getting a book for the Juniper/Netscreen ones. There are a few good ones on Netscreen Firewalls, but a couple I've read had some good high point overviews of Juniper vs. Cisco.
BUT what I usually go for is going direct to the source documentation, which all 3 companies have fully online, open to the public.
Like any computer documentation, each company has its own "style" and layout, and it does take a bit of thinking to get used to their style of doing things.
Ie. if you did want to start with the older, EOL'd SSG boxes, the Fundementals of the Netscreen Concepts and Examples manual is where to start.
formatting link
Just go up one level to the directory URL for the rest of the documentation in that series, but the fundementals would be a good start.
The SRX documentation is here.
formatting link
There's not really a good starting point with the SRX. Having other JunOS experience helps alot. I have some M series routers that I manage, but not any SRXs...
FortiNet's documentation starts here.
formatting link
They probably have the most complete WebGUI interface, you can do 99% of what you need to totally within the GUI without going to the CLI. The Admin guide isn't quite as detailed as others, but should at least show you the concepts of what it is capable of. Deeper understanding of all only comes after having used them for sometime and deploying specific solutions.
That's not completely correct. SSG5, 20, 320M/350M/520M and 550M are still being sold. Last four (M ones) can be also converted into J-series routers and run JUNOS-ES, which would make them SRX-like.
Best way to approach SRX training (along with EX switches and J-series routers) is to sign up for FastTrack program -
The smallest/oldest Netscreen boxes would be a step up over the 501. (granted, thats the smallest tiny Cisco PIX model as well).
The PIX line is fairly underpowered compared to everybody else. Cisco rested on not improving it for sometime. The ASAs make up for it somewhat.
I don't know if you are asking about current models, or old ones you'd find on eBay though?
I'd look for newer boxes compared to older boxes though. Unlike Cisco which didn't really do much to make new models in the PIX line, Netscreen cycled through 3-4 generations, and Juniper has done 2 hardware cycles beyond that.
If you are looking for old used hardware, something like a Netscreen 5GT was quite a popular model. 75Mbps throughput, 20Mbps VPN. And you'd expect to get 75Mbps throughput, unlike a PIX 501 with its rated 60Mbps on a good day. Should be less than $100 used. I see some pretty funny fantasy prices on eBay for old gear now-a-days though. (yeah, lets see, we'll get new street price for hardware that is 10 years old, and EOL'd 5 years ago).
But as a I stated earlier, a Fortigate 50B would do linespeed filtering.
I like that they support a huge range of features, the GUI is quite usable on every desktop, only having to bop out to the CLI for a few advanced things, they don't have licensing limitations (although you have to subcribe to AV definition updates, but they are all like that), and are rock solid. Code updates seem to be only for new features and minor bug fixes than any security issues. They support pretty much wirespeed for most setups.
I'm going through my list of managed boxes to find the longest uptime. Hmm, I think the uptime counters roll after a time, but the system log messages so only two reboots in 5 years on one of my oldest boxes.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.