New 515 coming in, need advice 1

[Yates76]

Hi, all.

I am the new firewall administrator with my company and we are moving from a NetScreen10 to a Cisco PIX 515.

I have never worked on one, am not exactly sure where to start. We own a class B licence, but will be using NAT. We will need to make a VPN with a win2k server. What info will I need to supply to help ya'll help me?

If anyone has ever used a NetScreen, you know I am at a severe disadvantage, because it is (IMO) firewalls for dummies. So, any advice at where I can go to learn the IOS? Any help would be greatly appreciated, and if I missed a FAQ, I apologize. New here and fairly desperate.

Thanks in advance!

James

 

[berford]

James,

Your new PIX 515 should come equipped with PIX OS v6.x and PIX Device Manager (PDM). When you take it out of the box and follow the install instructions, on power onm you will drop into the setup dialogue on a serially connected PC. That will ask you for the inside IP address, net mask, default gateway, and IP of a station you plan on running PDM from. That setup dialogue gets your PIX configured enough so that you can run PDM from a browser (via SSL). It's really pretty easy.

PDM then has it's own setup wizard. It runs because the PIX had no previous configuration (i.e. because you just ran CLI setup). That will get the PIX further configured to the point that it should be passing traffic through two interfaces (inside and outside).

For many folks PDM wil be all they ever need. My estimate is that 25% of PIX Admins will ever need to venture to the command line. While you are running and using PDM take a look at the PIX OS Command Line Interface (CLI). It's Cisco IOS-like (but not exactly IOS). It is in general very straight forward.

Liberty for All,

Brian

 

[Yates76]

Brian,

Much thanks!

But I would really like to learn Command line interface. Where is a good online site that spells out what I will need to learn?

Besides, I am tired of being a button pusher whenever I need to work on my current Firewall. I want to dig in up to my elbows in the IOS. Anyway, the more prepared I am for this bad boy, the better off I will be.

Thanks again!
James

 

[berford]

A new CLI junkie. You go. I'm a CCIE. I LOVE the CLI.

Take a look at the docs on the Cisco CD or CCO. They are pretty good.

Otherwise just try things out and see how they work.

Liberty for All,

Brian

 

[yizhar]

HI.

Few more tips:

* Check the serial number and manufacturing date of the new pix, make sure it is from the new series.
Many PIX machines have hang after a while.
Cisco has fixed some hardware problems in new models, but not sure if you're getting a new machine or one from the stock.
Take a look here:

http://www.cisco.com/warp/public/770/52.html

Also, for a big company, I suggest buying 2 PIX firewalls in failover or just placing one reserve box in the closet for use on need basis.
It will cost only about 30%-50% more of a single one.

* For learning the CLI and options of the PIX, CISCO online and printed documentations and samples can help much.
You'll need to spend some time for that, like other study tasks.

* For VPN - Use CISCO web-site for documentation and for configuration examples.
You can also use PIXCRIPT for asistant with VPN configuration:

http://teachers.sivan.co.il/yizhar#pixcript

* I also recommend PDM as a tool for basic configuration and for access-list management.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar