U KNOW IT'S FRIDAY PART TROIS 1

[silverhairb]

Here we are again on Friday. The net geeks gathered around the warm glow of their PCs. My wife would give me the supreme compliment by saying "Whatever." She does a lot of CAD so she's not one to criticize.

The lab is starting to take shape. 2 x 3640. One of them needs more flash - 8 meg isn't going to hack it but somehow were able to dig up enough ancient memory to get up to 128meg. Also got a 3660-2FE (3662?). Its getting a memory upgrade as well. Found a couple of 128meg ECC sticks to try. Both will need more flash, but that'll come after I make back-ups of their respective IOSs and discover how to load an IOS from rommon. I saw a procedure somewhere. Then I might try a version of two of IOS that wouldn't fit in the old memory configs. Also have a couple of 831s with max'ed memory that I might find useful.

Enough of this meaningless babble. Time to move on to other meaningless babble.


[the other] Bill

 

[lerdalt]

One of these days, I'm going to have to start picking up some newer equipment. My 2507s just isn't going to cut it anymore, but I do have a pair of 2600's sitting here that I've been waiting to take home.

I did see something kind of funny on CDW yesterday. 3 options for a ASA5505. A 10 user license, a 50, and an unlimited. The 10 user was like $450, and the unlimited was around $650. Just struck me funny that for only about $200 more you could get the unlimited user. Got looking at it since we are working on buying a different house, and I'll have to be changing out my internet connection. Time to put in a real firewall.

 

[CiscoGuy33]

lerdalt,

Another Friday - just got home from lunch

I have been running IPCop (Linux firewall) on a dedicated computer - Dell Persision P3 with 2 600 CPU's and 1 GIG of DRAM and 4 NICs (1 WAN 2 LAN and 1 DMZ). Once IPCop is setup it can run headless, you monitor it through the browser, so it does not need a keyboard, mouse or monitor.

You can use just about any old computer as long as it can hold at least 2 NICs and about 2 GIGS on a harddrive. Because I have a fast FIOS connection I wanted the firewall to be able to keep up with the traffic. I have seen some refurbised IBM P4's for about $150 at Tiger Direct that would make a nice dedicated firewall - just make sure you have the PCI slots for NICs.

My home network -

                 |---831   ---|                  |---LAN Cisco Hub - test network
FIOS---Cisco Fast|---2651XM---|Cisco Fast---IPCop|---LAN 2924 - My PC's 
       400 Hub   |---Linksys--|400 Hub           |---DMZ Cisco Hub - Not used YET

The Cisco 831 and Linksys are all wired and setup but are off, if I am testing the 2651XM or have any issues I can turn my "border" router off (the 2651) and turn on one of the 2 backups - the 831 or the Linksys. For a while I even had an old Gateway P3 500 running IPCop also as abackup to the Dell IPCop Firewall but it is completly out of the loop right now, might get one of the IBMs and make the Dell a backup (turned off).

Hope this helps!

E.A. Broda
CCNA, CCDA, CCAI, Network +

 

[lerdalt]

Helps a ton. I took a look at IPCop and was originally going to try and run it on a solaris box, but ran into some snags with it. Thinking picking up the asa to use would be a good step if I wanted to start down the CCSP road.

Of course, right now, I'm leaning more towards doing some of the CCVP stuff, since the Cisco Voice solution is coming to an organization near me.

 

[CiscoGuy33]

lerdalt,

I have a Cisco PIX 501 setting here next to me but it is 10baseT, so I have just played with it a little. I am looking to pulling the Cisco 2924 and replacing it with an HP procurve 8 port GIG switch - all my PC's have GIG NICs so at least my LAN will be GIG.

I also almost got a PIX 520 on Ebay, but they are P2s and P3 so they are getting dated and I don't think you can get any updates any longer - for home it should be fine and as the price drops might get one and use it as a backup.

I have also looked at the Cisco ASA's but my main computer at home is 3 years old now, so it is time for an upgrade and I have a nice Sony 37 inch flatscreen calling my name to watch the Superbowl

The price is right for IPCop - FREE and using a computer that would not be used for much else!!

E.A. Broda
CCNA, CCDA, CCAI, Network +

 

[lerdalt]

I've got a pix 501 sitting on a shelf at work that I thought about grabbing. Depending on what I end up doing for an internet connection, the 10baseT might be just fine. I'm still kind of in no-mans-land, so I can't get anyone to do a FIOS for me.

 

[burtsbees]

I stand on top of my ethernet wire with a baseball bat. No problems yet (knock on wood).

Burt

 

[silverhairb]

I stand on top of my ethernet wire with a baseball bat. No problems yet (knock on wood)."

I'm sitting here discussing your post with a glass of particularly nice pinot noir trying to figure out exactly what you're saying.

So your ethernet wire has a baseball bat? What's it like to stand on top of the ethernet wire when the wire doesn't have a bat? Or is the bat standing next to you when you're on the wire, is the bat your friend? Are you knocking on the bat?

Inquiring minds want to know. (LOL)

(Did you hear about the manuscript Mark MacGwire's brother wrote?)

[the other] Bill

 

[burtsbees]

Yes, heard the manuscript---he is an admitted juicer too.

What I MEANT to say is...

I stand on my baseball bat with my ethernet wire. No problems yet, knock on copper.

Burt

 

[lerdalt]

Wow,,,I must be drunk. I would have sworn I read that as you stand on your baseball bat swinging an ethernet cable at the token as it comes through...

Dang..and I wanted to go drink some more tonight...

 

[burtsbees]

Think I'll take my meds now...

 

[silverhairb]

I stand on my baseball bat with my ethernet wire. No problems yet, knock on copper."

Now that I'm deeper into that bottle of nery vice pinot noir, that makes perfekt cents. (lol)

[the other] Bill

 

[silverhairb]

Wow,,,I must be drunk. I would have sworn I read that as you stand on your baseball bat swinging an ethernet cable at the token as it comes through...

Dang..and I wanted to go drink some more tonight..."

That's how I read it and I'm not drunk. Let me try that again. I'm not drunk by MY standards. I have hery vigh standards. Blood alcohol content needs to be huch migher to meet my stenderds for infoxicration. (lol)

[the other] Bill

 

[CiscoGuy33]

Burt,

I have heard of that "Mark McGwire" firewall, I have often sat here with my 9mm and shot at the bad packets as they cross the copper

Bill - glad that it "makes perfekt cents" you are fitting in better everyday here!!

Billy must be out defending our country

lerdalt - the PIX 501 is very fast for a home network unless you get one of these newer 25MG or 50MG fiber or cable connections. The PIX IOS is just a little different than a router IOS.

I was telling Bill in an email that I had tried a 2514 with 16/16 several years back with a (I think) 12.3 security firewall, I know it was a security IOS and it was one of the last for the 2500 - it was DOG SLOW - I mean DIAL UP DOG SLOW - the old dial up on a bad day SSSSLLLLLOOOOO

http://WWWWWW

took it out and put in the Cisco 831 which is 10BaseT but very fast, which replaced the Linksys. The 2651XM replaced them all. I had a D-Link that FIOS gave me when I had that installed, but it died after about 1 year.

I still remember the FIOS tech who installed it asking if I needed help until he came in my home office and saw a rack of Cisco routers, switches and hubs and 6 computers around the room all hooked up to DSL. He laughed and said he was going to ask if I was sure I had a NIC in my PC

He was a good tech - had been working for Verizon for like 15-20 years as an installer! I have been happy with FIOS!

E.A. Broda
CCNA, CCDA, CCAI, Network +

 

[lerdalt]

haha..that reminds me of years ago, in the dial up days, had trouble with my internet. Done some basic trouble shooting, and had like 20 minutes on hold for support. Got the first level support and told them their DNS server was having problems. He was like, how I knew...rattled off all the stuff I tried, he transferred, me to 2nd level. I continued my work while waiting on hold. Got to the 2nd level tech, told him which of their dns servers was down..got put on hold, came back and said "yep, you're right our dns is having problems." Was so nice to waste like an hour on the phone only for them to give me no eta on when it'd be fixed.

 

[silverhairb]

Replaced an 831 running in front of a Motorola DSL modem last month. It seemed faster than the Cisco specs peaking at over 5mbs - I even saw almost 6mbs spurts on a 6mbs DSL-over-POTS line. Only had a very basic firewall running which probably helped keep performance a little higher. Was running 12.3(14) or something close. Very stable.

On an 877 now (thanks for the help Burt/Tim!) and its another set it and forget it router, another Cisco Energizer bunny of home routers.

Now I've got that 831 and its back-up 831 in "the lab" until I decide what to do with them.

[the other] Bill

 

[maczen]

Ciscoguy,
I wonder if there are actual recommendations out there regarding the hardware for IPCOP.. Just wonder what it would take to make it failover.. May be a fun little project after CCNA sec! (I test Feb 28).. Also, does it fail closed by default (probably so which is a good thing).. It's easy enough to fingerprint.. SSH daemon runs on 222 not 22!

Truth is all I have read are good things about IPCop though!

B Haines
CCNA R&S, ETA FOI

 

[CiscoGuy33]

Billy,

I think IPCop will run on a 386 and 500MG harddrive you can even have it load from a CD in the CD Rom drive (I think) but if power goes out you have to set it up again :-(

Yes, the sight does discuss the min hardware and it is like a 386 or 486

As far as fail-over like the PIX, have never seen anything about it but I have seen network maps - BIG network maps in Network World of some LARGE companies and they have IPCop tagged on the firewall, story was about something else so they only briefly said something about the firewall being Linux based !!!

My setup is very easy for fail-over since all my network gear is controlled by 4 - 5 switch under-monitor power controllers with those lighted switches that control CPU, Monitor, Printer and AUX 1 and AUX 2. I just made new lables with my P-Touch labler - 831, 2651XM, Linksys, FIOS Hub, IPCop1, IPCop2, Red Network (Cisco Fast 400 hub),Green network (Cisco 2924) DMZ (Cisco Fast 400 hub), Blue Network (Cisco Fast 400 hub).

It is not instant failover but if I have an issue, I switch the 2651XM off and the 831 on, if firewall is funky, I switch IPCop1 off and IPCop 2 on and one time when I thought I had a rouge installer doing something on a new PC - I just switched the FIOS hub off and no more physical connection to the Internet, lets see a hacker beat the defense of no electricity

For home it works, for a company I am sure since it is Linux (if I knew more about all the controls of Linux) I am sure it could be setup automaticly - I am just NOT a Linux guru - I just play one on Tek-Tips

E.A. Broda
CCNA, CCDA, CCAI, Network +

 

[maczen]

LoL.. That is a nice setup.. I want to play with IPCop later on down the line.. Toying with Shorewall (Shoreline Firewall) in my spare time now.. Not a big Firestarter fan! but that is for the laptop.. Not currently running a standalone server-based firewall on the net!

B Haines
CCNA R&S, ETA FOI