Replacing Cisco PIX 520

[Ver17]

I need to replace a Cisco 520 PIX that is not fast enough to handle the data of a rack of game servers. I was looking at a Cisco 515e but I think I would like a non-Cisco firewall with simular specifications to Cisco 506 / 515 series firewalls... mainly for price (under around 1K - 2K on eBay) and that fact that I am not a Cisco PIX export and would like something with a more point and click user interface.

I know this is a Cisco forum but I simply don't know other companies to look into.

 

[chucksel]

There are hacks for the PIX 520 to use faster processors. Google it.

Chucksel

 

[Ver17]

It does use a standard Intel proccessor but to be honest I would rather either get a newer 1U solution or simply move twards a more plug and play type of interface. Lazy it may be, but I don't want to take the time to play with hacks on this one.

 

[chucksel]

I can appreciate that! My approach was a money saving one. Surely you can throw money at it.

You must be banging that PIX 520 pretty hard. I have a 200 user network with 4 interfaces on my PIX and CPU utilization is not too bad. What kind of gaming?

 

[Ver17]

The thing is, I only know Cisco routers and switches and even then not that well.... so I pay my co-location to configure and run my PIX 520. The PIX was only using a few Mbps of bandwidth with no more than a couple hundred players. The PIX was only blocking unused ports, its not even doing any NAT, VLANs or anything advanced. The co-location facility called me recently and put me on a conference call with their security people who told me the PIX was to old and was being hammered so hard that their admins where even having problems connecting to it. They then disconnected it and sent it back to me.

To be honest I have had soooo many problems with this place where they where extremely incompetent that I cant say I believe them. Plus the same PIX was in a similar setup for about a year and it preformed perfectly. No matter, I would not mind getting a smaller 1U firewall and one that is more user friendly so I can do the work myself and not pay this co-location facility $150 an hour to do nothing but screw things up again.

As far as throwing money at this problem... my company is small so I would only be able to afford 1.5K maybe 2K on a used eBay firewall. Any more that that and renting a 506e from this co-location facility might be my only option.

 

[chucksel]

Well, listen up. These guys are screwing you over. The PIX 520 will take some serious sh@t thrown at it. We are a financial institition. Securites dealers (stocks and bonds, etc). We have NASDAQ servers and many other financial servers and T1's coming into a PIX 520. Some SERIOUS dataflow. 25+ servers on the inside interface, 15 or so routers with T1's on the DMZ interface, 10 or so T1's and servers on the vendor interface and over 100 users CONSTANTLY using apps and surfing over the internet on the inside interface. The PIX 520 barely breaks a sweat. Is it an older model? Yes! But Cisco just gets better with age. Oh yeah, by the way, they are built like M1A1 Abrams TANKS. I have never had it or any of my routers break in over 6 years.

Find yourself some REAL network guys. They are trying to use excuses for their sorry @ss bandwidth problems and/or lack of network expertise. Where are you located? I can maybe help you find someone new. I am not soliciting business here. I am full time employed busy S.O.B. that couldnt take any side work if I wanted to. Nuff sed.

Small business owners like you are what drive the economy. Quit letting these losers suck you dry. The PIX is not so hard to understand using the PDM interface, but no doubt you WILL need to learn a bit about IP, TCP and ports.

Chuck

 

[Ver17]

Good advise. Thanks for your time

 

[BuckWeet]

I concurr..

PIX520 is still a fast box.. and you're not even using it for NAT..

I personally would like to see the configs of how they had it configured..

If you're not using any NAT, use nat 0 and use the access-list method of defining your firewall statements..

they might be just doing the old conduit statements which are much slower than the access-lists, especially with the turbo-acl feature..


BuckWeet

 

[Ver17]

Actually.... when I paid them to set up the firewall I asked them to send me the console printout on what they did so I could take over after the initial setup and manage the PIX myself. Here is the firewall.txt file they sent me (note: I did replace my password, external IP address and hostnames):

http://members.cox.net/chrisc123/firewall.txt

 

[BuckWeet]

Ugg yea, get rid of those conduits, and implement NAT 0 with turbo acl's..


BuckWeet

 

[Ver17]

I understand only some of what you are saying... I do have a bachelors in administration which focused on a lot of Cisco but that was a couple years ago and I have never worked on Cisco in the field. Hmmmm ACL’s... it’s been a while... I guess I either have to read up ALOT or pay someone to set this up.

Thanks for all the help.

I'm suprised no one has asked what co-location facility I have had all this trouble with. It’s one of the big popular ones, and to be honest my experience with them has be a complete incompetent nightmare on soooo many different levels. But then again thats not the point of these forums right?

Thanks again. At least I now know what my true options are and not only what they have told me....

 

[chucksel]

Your PIX should have the latest firmware and then it should last you a few more years unless you get huge. BuckWeet is right, use turboACL's.

Chuck