PIX 501 for home use?
in [Cisco]
|
Prev: Cisco PIX 515E Configuration
Next: Pix 501 VPN
From: Davej on 11 Jan 2010 15:39 My home router finally died. It was a Linksys BEFSX41 which supposedly did SPI, but that model had a terrible reputation for unreliability. I am wondering if it would be practical for me to pick up a used PIX 501, which seems to have a superb reputation, but there are three "gotchas" I can think of... 1. I have heard the PIX require licenses -- so might a used unit refuse to do anything? 2. Is the setup extraordinarily complex? I set up the Linksys and don't need much, just a basic connection. 3. Do I need a particular 501 with particular options for an ADSL connection? Thanks!
From: Doug McIntyre on 11 Jan 2010 17:39 Davej <galt_57(a)hotmail.com> writes: >My home router finally died. It was a Linksys BEFSX41 which supposedly >did SPI, but that model had a terrible reputation for unreliability. I >am wondering if it would be practical for me to pick up a used PIX >501, which seems to have a superb reputation, but there are three >"gotchas" I can think of... This is the tiny, entry level box of PIX. But at least better than something like the original 506. My main problems with 501's have been the power plug wiggling out of them. (happened on multiple ones, don't know why these seem to have more issues than others). >1. I have heard the PIX require licenses -- so might a used unit >refuse to do anything? The box is licensed with a certain feature license, and as long as the license is applied and you don't wipe it out, it'll stay there. I suppose some people might wipe it, but you'll probably get the license that the box had when it was new. If you happen to get a 10-user license, its too old to upgrade any longer, you'd be stuck with a 10-user license. If you get a box without a license, its a boat-anchor, so I suppose most people wouldn't go to the extraordinary steps of wiping the license. As I am want to do, I usually push people away from PIXs, even though this is a Cisco group. I'd look for a used Fortigate 50A or 50B instead of a 501. Quite well working GUI, just as reliable. No license hassle, better performance, more features, etc. >2. Is the setup extraordinarily complex? I set up the Linksys and >don't need much, just a basic connection. Do you like command-line configuration? Does configuration like static (inside,outside) tcp interface www 192.168.1.100 www netmask 255.255.255.255 0 0 access-list inbound permit tcp any any eq www access-list inbound permit tcp any any eq smtp access-list inbound permit tcp any any eq domain scare you? There is a GUI. I'd state that you'd be pretty hard pressed to find the magic version of ancient Java on a particular old OS that might actually be able to run it. >3. Do I need a particular 501 with particular options for an ADSL >connection? As long as your ADSL modem takes care of all the ADSL bits without anything else, then no. If you need to do something like PPPoE, you'll need at least 6.2 of the OS to do PPPoE in the PIX. Either way, you'd still need your ADSL modem in place.
From: Davej on 11 Jan 2010 18:20 On Jan 11, 4:39 pm, Doug McIntyre <mer...(a)geeks.org> wrote: > [...] > The box is licensed with a certain feature license, and as long as the > license is applied and you don't wipe it out, it'll stay there. OK, good. > As I am want to do, I usually push people away from PIXs, even though > this is a Cisco group. I'd look for a used Fortigate 50A or 50B > instead of a 501. Quite well working GUI, just as reliable. No license > hassle, better performance, more features, etc. I just want something very reliable. I don't really need much performance. > Do you like command-line configuration? I could get used to it. > As long as your ADSL modem takes care of all the ADSL bits without > anything else, then no. OK, I was worried that a T1 (or whatever) input might be the standard and would be different from an ADSL input.
From: Doug McIntyre on 11 Jan 2010 23:50 Davej <galt_57(a)hotmail.com> writes: >I just want something very reliable. I don't really need much >performance. I've had fortigate/Netscreen/Juniper/Cisco uptime all measured in years. They all just keep going until I need to do a software update or whatever. Other kinds that I've had to manage, not so much (ie. Sonicwall, Watchguard). >> As long as your ADSL modem takes care of all the ADSL bits without >> anything else, then no. >OK, I was worried that a T1 (or whatever) input might be the standard >and would be different from an ADSL input. Almost all firewalls have ethernet in, ethernet out. As long as your ADSL box terminates out to ethernet, it should be fine. In general, there aren't many firewalls with WAN ports like T1, especially not in a small box like the 501, usually you are paying quite handsomely for that kind of box.
From: Davej on 12 Jan 2010 15:24
On Jan 11, 10:50 pm, Doug McIntyre <mer...(a)geeks.org> wrote: > Davej <galt...(a)hotmail.com> writes: > >I just want something very reliable. I don't really need much > >performance. > > I've had fortigate/Netscreen/Juniper/Cisco uptime all measured in > years. They all just keep going until I need to do a software update > or whatever. Well, a lot of used units I see for sale look like the result of bankruptcy liquidations. Often they don't even have the power supply. I would worry that the admin password would be locked. |