PIX HELP

[skk391]

Hello, I am currently studying for my ICDN2 exam and would like to have a play around with a Cisco PIX firewall. I dont really know anything PIX - regarding model numbers etc. I just need a basic one.

The plan in to get my work to pay for it (but still needs to be with some sort of budget) play around with it in a test lab (& learn) and then put it into production on a small network with about 30 users to help to beef up security, im currenly just using a basic NAT firewall. Can anyone put me on the right path regarding this?

I looking for something that is generally used within production networks, so that I can add the skill onto my CV as well!!

Just thinking out loud, I already have a Cisco 2501 router with SDM, does this already have a basic firewall built into it? I havent got to this stage in my studies so I dont really know what I am looking for.




many thanks

 

[maczen]

First I did not know that SDM would run on a 2501! That is pretty cool if it does! The thing is that you can buy a Pix off of eBay for next to nothing for study purposes but you will NOT be able to put that in a production environment. When you are talking about a production network then you have to purchase from a Cisco Reseller. You can locate a Cisco Reseller "Partner" here..

http://www.cisco.com/web/partners/index.html

That would be the POC for the production side of the house. That said, the ASA is replacing the PIX lineup so you may want to take a peek at the ASA-5505 if talking about 30 users.. There are some advantages to the ASA-5510 such as the cards that can be used with the device to support antvirus, antispyware etc. Not to mention increased performance etc. There is a compare tool that the Reseller will most likely show you.

An ASA-5505 would also be a great study tool and where you can by a good PIX (for your home lab) for around $200 you can get an ASA-5505 for around $350 if you keep an eye on eBay! That would be a way to future proof your lab.. also the CCSP tests on the ASA now.. not the PIX!

I hope this helps!

B Haines
CCNA Security, CCNA R&S, ETA FOI

 

[CiscoGuy33]

Billy,

You are correct SDM is NOT supported on a 2500 router -

http://www.cisco.com/en/US/products...stallation_guide09186a00803e4727.html#wp37069

skk391,

You said -

I am currently studying for my ICDN2 exam and would like to have a play around with a Cisco PIX firewall. I dont really know anything PIX........

WHY???? The CCNA/ICND2 DOES NOT cover the PIX at all, you have more than enough to be concerned with for the ICND2 that I would not be mixing a different command structure - the PIX has a CLI that is different than the CLI used on the routers and switches that you will see on the exam. I would not want to mix the 2 at this time

That's just me, I have seen students over the past 10 years have enough trouble with just what they need to know for the CCNA/ICND2

The plan in to get my work to pay for it (but still needs to be with some sort of budget) play around with it in a test lab (& learn) and then put it into production on a small network with about 30 users to help to beef up security, im currenly just using a basic NAT firewall.

And Billy is correct about the PIX, the low end PIX's are EOL (I know the 501 and 506, I think ALL PIX's are EOL NOW) - End of Life and have been replaced by the Cisco ASA series, looks like Cisco will still support them until about 2012 but you better UNDERSTAND the Cisco lic BEFORE you put them in a production network for your boss.

Learning from one in a lab is one thing, putting into use in the real world is a whole another thing to be concerned with !!! As Billy said, TALK TO A Cisco Reseller!!!

Hope this helps!


E.A. Broda
CCNA, CCDA, CCAI, Network +

 

[skk391]

Thanks guys, Sorry my mistake (typo) I meant to say that the router I have in my Lab is the 2801 with SDM. I was thinking about adding a decent firewall to my lab because I believe that you need to know about ACL on the ICDN 2 exam and wanted to know if I needed a firewall to be able to practice the commands needed to pass the exam. Like I said I havent got to that section in my studys yet, just recently passed the ICDN 1 exam and am planning to take the ICDN 2 in about 2 months.

 

[CiscoGuy33]

skk391,

The ICND2 and CCNA is ALL based on the IOS - both CLI and SDM. ACL's and any security covered is what can be done on the routers and switches - NOT FIREWALLS like the PIX or ASA.

YES, you need to understand and be able to setup ACL's - on a router so learn it/ do it on your 2801.

So for CCNA, YOU DO NOT NEED A PIX OR ASA FIREWALL

Here is what Cisco says about the ICND 2 -

Exam Description
The 640-816 Interconnecting Cisco Networking Devices Part 2 (ICND2) is the exam associated with the Cisco Certified Network Associate certification. Candidates can prepare for this exam by taking the Interconnecting Cisco Networking Devices Part 2 (ICND2) v1.0 course. This exam tests a candidate's knowledge and skills required to successfully install, operate, and troubleshoot a small to medium size enterprise branch network. The exam covers topics on VLSM and IPv6 addressing; extending switched networks with VLANs; configuring, verifying and troubleshooting VLANs; the VTP, RSTP, OSPF and EIGRP protocols; determining IP routes; managing IP traffic with access lists; NAT and DHCP; establishing point-to- point connections; and establishing Frame Relay connections.

Exam TopicsThe following topics are general guidelines for the content likely to be included on the Interconnecting Cisco Networking Devices Part 2 exam. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes, the guidelines below may change at any time without notice.

Configure, verify and troubleshoot a switch with VLANs and interswitch communications

Describe enhanced switching technologies (including: VTP, RSTP, VLAN, PVSTP, 802.1q)
Describe how VLANs create logically separate networks and the need for routing between them
Configure, verify, and troubleshoot VLANs
Configure, verify, and troubleshoot trunking on Cisco switches
Configure, verify, and troubleshoot interVLAN routing
Configure, verify, and troubleshoot VTP
Configure, verify, and troubleshoot RSTP operation
Interpret the output of various show and debug commands to verify the operational status of a Cisco switched network
Implement basic switch security (including: port security, unassigned ports, trunk access, etc.)

Implement an IP addressing scheme and IP Services to meet network requirements in a medium-size Enterprise branch office network

Calculate and apply a VLSM IP addressing design to a network
Determine the appropriate classless addressing scheme using VLSM and summarization to satisfy addressing requirements in a LAN/WAN environment
Describe the technological requirements for running IPv6 (including: protocols, dual stack, tunneling, etc)
Describe IPv6 addresses
Identify and correct common problems associated with IP addressing and host configurations

Configure and troubleshoot basic operation and routing on Cisco devices

Compare and contrast methods of routing and routing protocols
Configure, verify and troubleshoot OSPF
Configure, verify and troubleshoot EIGRP
Verify configuration and connectivity using ping, traceroute, and telnet or SSH
Troubleshoot routing implementation issues
Verify router hardware and software operation using SHOW & DEBUG commands
Implement basic router security

Implement, verify, and troubleshoot NAT and ACLs in a medium-size Enterprise branch office network

Describe the purpose and types of access control lists
Configure and apply access control lists based on network filtering requirements
Configure and apply an access control list to limit telnet and SSH access to the router
Verify and monitor ACL's in a network environment
Troubleshoot ACL implementation issues
Explain the basic operation of NAT
Configure Network Address Translation for given network requirements using CLI
Troubleshoot NAT implementation issues

Implement and verify WAN links

Configure and verify Frame Relay on Cisco routers
Troubleshoot WAN implementation issues
Describe VPN technology (including: importance, benefits, role, impact, components)
Configure and vary PPP connection between Cisco routers

https://cisco.hosted.jivesoftware.com/community/certifications/ccna/icnd2?view=overview

Hope this helps!

E.A. Broda
CCNA, CCDA, CCAI, Network +

 

[maczen]

Gene is correct! In fact, you will not need a PIX or ASA for your CCNA Security studies either! It revolves around the IOS Based firewall.. Primarily ZBF (Zone-Based Firewall)! You will not need an ASA until you reach the CCSP level! Hope this helps! Oh, one last thing.. that 2801 will get you all the way to CCSP (and can still be used there) as long as you have something on the other end to play around with VPNs and the like!

B Haines
CCNA Security, CCNA R&S, ETA FOI

 

[CiscoGuy33]

Billy,

I am soooo glad you added that about the PIX and ASA for CCNA Security, same for the other CCNA Concentrations.

From Kevin Wallace at Network World -

....Cisco wanted people who possessed an entry level certification to be able to set up a complete solution based on IOS technologies.

For example, if you pursue the CCNA Security Concentration, you'll focus on IOS-specific security solutions, rather than firewall, VPN, and IPS appliances. Similarly, for the CCNA Voice Concentration, you focus on IOS-based IP telephony, which leverages Cisco's UCME technology.

http://www.networkworld.com/community/node/36743

So if you are working on CCNA or one of the Concentrations - it is routers and switches and IOS, SDM and CLI


E.A. Broda
CCNA, CCDA, CCAI, Network +

 

[maczen]

No problemo! I honestly love the entire CCNA Concentrations! With the exception that I would have liked to see the naming convention slightly different.. IE. CCNA, CCSA, CCVA and CCWA!!! This whole CCNA Security/Voice/Wireless and basic CCNA thing is mildly annoying!

Oh and it will really be hilarious if they name the Wireless Professional cert CCNP Wireless! Which I have been reading lately!

B Haines
CCNA Security, CCNA R&S, ETA FOI