In article , Nate Goulet wrote: :Should I buy a Cisco Pix 501 and a 605 E, or two 501s?
That's 506E, not 605E.
: What are the :differences?
formatting link
:Also, do I really need the SmartNet service?
No.
The PIX 501 power connector is notably flaky, but instead of paying fo a support contract, you could take the risk that it'll be fine for you -- and if you bet wrong you could just buy another PIX.
PIX 7.0(*) is likely to be released sometime this year or very early next for the 501 and 506E, and if you had a support contract you would be entitled to a free version update, but you certainly are not -required- to update your software, and you can always do one-off purchases of new OS versions; the one-time cost is usually no more than 3/4 of the price of a yearly support contract.
:I need to connect a remote branch to our main system using DSL.
No problem then. When your branch office connection goes down and everyone is screaming at you to get it back up, you can post about the problem on Usenet, and someone will usually answer within two or three days. Hardly any questions here go unanswered for more than 3 or 5 years, and the revised FAQ is expected to be out by 2017 at latest.
:I've :been recommended a Cisco Pix 605 E for the main office, and a Cisco :Pix 501 for the branch.
:The main office consists of a single Windows 2000 Server with Appox. :30 -35 local clients with 15 - 20 networked printers. I'm told the :networked printers count for an IP address.
PIX 506E have no inherent limits on the number of internal IP addresses they support.
PIX 501's are limited to 10, 50, or unlimited "users". A "user" is a host with an active connection to the outside; static IP translations do -not- count against the total from boot time until there is first traffic to the address, but after that they count permanently until the PIX is rebooted.
:How :complicated is it to upgrade to 50 users by the way and what's :involved?
Trivial. With current software, you log in, enter a single command, and reboot to bring the new key into effect.
:Is it something I can do myself as a pc specialist, or does :it require a networking expert like my MSCE?
If you can telnet or ssh, then you can easily put in a new key.
formatting link
:Does the 605 E offer a lot more security protection
No, the 506E is nearly identical in command set to the 501. See the model summary I linked to above.
:Currently the branch connects to the server via very expensive 56k :dedicated line
:The DSL connection should be much cheaper & :faster as a bonus.
DSL connections are almost always less reliable than a dedicated line. If the connection is business critical, then you should go with an ISP that offers an SLA (Service Level Agreement) with an uptime guarantee sufficient for your needs; or you should put in a backup link of some sort (through a completely different company such as cable), or you should skip DSL and go for a a commercial-grade technology.
:My sales rep mentioned he has never sold a Pix without the Smartnet :service. He described the service as not only technical support, but :as a service that sends regular updates to the routers automatically, :sometimes several times a day, similar to virus definition updates. :Is this being explained correctly?
No!!
The PIX has the ability to autoload new operating system updates, but the PIX operating system is usually updated only a few times per year.
There is absolutely nothing corresponding to virus definition updates for the PIX.
There is also nothing in PIX 6.x (which the 501 and 506E run) that would allow the PIX to reach out and pull in an updated configuration [e.g., because you had changed the set of locations you wanted to permit access to.] The closest to that is that you -can- have "downloadable ACLs" that will be copied in from a RADIUS server. It's not the same as what you describe.
:Are you all subscribing to this :service for that reason? Is the Pix kind of worthless without this :service?
We update the configuration on our PIXes every few days, but not because of deficiencies in the PIX. We are in an environment that is -required- to deny connections by default, and so we get requests to open the rules up to allow a netmeeting or an electronic journal that lives on an obscure port, etc..
:I have a MCSE that will help me hook up everything, so hopefully we :won't need the Smartnet for the technical support.
: Thanks for any advice
If you are going to "set and forget" the PIXes, allowing a very specific set of ports (e.g., outward http on port 80, and so what if people start up a filesharing service), then you might be able to do without the technical support. But if you anticipate that the environment might be a bit more dynamic than that, then my -advice- is that you get the support contract for at least the first year. It literally takes -years- to learn all the ins and outs of a PIX. If your security posture is "hands on" rather than "set and forget" then chances are excellent that you'll find something you want answers on until you get more accustomed to the PIX.
As you asked for advice, I would also advise you to figure out what you are going to do if one of your PIX fries (e.g., brownout) or dies, or starts rebooting itself endlessly. What is your plan of action in such a case? If the plan is to buy a new one to replace the old, then how quickly can your supplier deliver? Do they keep stock in the city, or do they have to order them in? Will they tell you how long the longest order backlog was within the last year? Will your people still be able to work in the meantime? How much will you lose for each hour or each day that the device is out of action?
:P.S. I posted this message on a less active Cisco forum, and 2 people :both agreed the 501s should be fine, and that networked printers with :their own IP addresses don't count toward the licenses. Does everyone :on this forum agree?
As I indicated above, any host that communicates with the outside potentially counts against the limit on a PIX 501. The PIX does not distinguish between "computers" and "printers". "Communicates with the outside" includes over the VPN. If your central site is monitoring the printers (e.g., if you are running a print server there, or you have a centralized networking monitoring host), or if people sometimes print on remote printers [one of our people delivers documents to a remote office by printing to the remote printer], or if you run a centralized application (e.g., timesheet recording or accounting) that includes a "print this page to a local printer" facility, then each addressible network printer could potentially be active and counting against the
10-user license limit.