• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 531
  • Last Modified:

Learn Cisco PIX or Switch/Router

I am trying to see which would be better for me to learn.  I have my CCNA so I have worked with switches and routers for testing purposes.  I haven't touched PIX yet and was wondering if I should learn that as well? I know Cisco is used in large companies and I want to make myself marketable if I should apply for a job.  I am looking for suggestions and if you don't mind, please suggest a Cisco product that you would recommend for me to use for testing and learning purposes.

Thanks
0
Rosen500
Asked:
Rosen500
  • 9
  • 8
1 Solution
 
Joseph HornseyPresident and JanitorCommented:

Rosen500,

Keep in mind that anything you get from us for your question is only going to be an opinion... I think if you asksed 10 different people this question, you'd get 6 or 7 different answers.

In my opinion, I would go with the PIX.  Here's why:

The CCNA is a wonderful foundation as it exposes you to fundamental switching and routing.  It also goes into stuff that most people don't know how to do (or don't understand) such as VLANs and routing protocols (at least it did when I got my CCNA).  I think that the switching and routing info that you cover in the ICND courseware and books (ICND = Interconnecting Cisco Network Devices) will prepare you for about 90% of what you'll need to know on the job in the majority of corporate networks.  When I say this, what I mean is that you'll have a grasp of what needs to happen and can then Google your way around on the details.  When you go past the CCNA into the higher-level switching and routing, you're getting into stuff that becomes pretty rare.  I've been consulting for years for small to medium-size companies and I've worked with defense contractors and some big companies, too.  In all that time, I've seen ONE Catalyst 5000 series switch and I've only seen one Cisco 3600 series router (and it's mine) and a couple of 7200 series routers (at my datacenter).  In my experience, even the big companies are made up of a bunch of small networks... this might be different if you're at a university or some other campus-style organization or data heavy company like a big software developer.

The PIX, on the other hand, I see all the time.  The reason why is because it's a really, really good product and it's not all that expensive.  I mean, a PIX 506 can be had for around $1500.  A 501 is as low as $500.  So, these are products that smaller companies can afford.  Compare that to a 48 port Cisco switch at $3,000.00.  Plus, they do VPNs.  So, it seems to me that the opportunity to be needed to configure a PIX is far greater than it is for high-end routing and switching.

Keep in mind, thought, that I'm very biased.  I happen to LOVE these firewalls (I just had a new unlimited license 501 put on my desk as I was typing this... we're using it in a DMZ) and I've totally enjoyed learning about VPNs, encryption, etc.

There's my two cents.  Let me know what you think.

<-=+=->
0
 
Rosen500Author Commented:
Thanks for you input.  What you said makes a lot of since. I am in a small company now and I want to make sure that I am marketable if I look for a new job.  Would you recommend me using the 501 to start off with?
0
 
Joseph HornseyPresident and JanitorCommented:
How many users do you have?

<-=+=->
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
Rosen500Author Commented:
This will be just for me learning it for now.  I would be using this in a test environment.
0
 
Joseph HornseyPresident and JanitorCommented:

Then I'd go with a used PIX off of eBay....  Look for the part number PIX-501-K9-BUN= (I think)... it's a 10-user license and you should be able to get one used for around $250 or so.

<-=+=->
0
 
Rosen500Author Commented:
Cool.  So If I start learning PIX-501 this will help me work with the other Cisco firewalls?  
0
 
Joseph HornseyPresident and JanitorCommented:
Definitely.  At least on the 6.x series of PIX IOS - they were the EXACT same software as on the 515s, 525s, etc.  I'm not sure about the 7.x series of PIX IOS... I just got this brand new 501 and I haven't started playing with it yet... I don't know if these come with the 7.x version or not.  I'll let you know in a few minutes.

Also, keep in mind that Cisco is rebranding the PIX series right now, but I think that the internals are the same.

<-=+=->
0
 
Rosen500Author Commented:
OK.  Would you recommend me starting out with the 6.x version instead of the 7.x version?  I appreciate your help.  You have been very helpful
0
 
Joseph HornseyPresident and JanitorCommented:
No worries; it's my pleasure.

I can't advise you on 6.x vs. 7.x because I haven't played with 7.x yet.  This 501 I just got has 6.3(5).  We've got a 7.0 image for our 515e, but I haven't loaded it yet because we had to buy a memory upgrade (which, now that I think about it, should have clued me in to the fact that a 501 isn't going to handle 7.x IOS images) and I haven't installed the memory yet.  I'm going to do that on Friday, I think.

Anyway, 6.x IOS is a great place to start... the fundamentals aren't going to change and you've got to start somewhere.  To run 7.0, you're going to have to get a 515 (used on eBay will be around $1500 or more) plus the 128MB upgrade (another $200 or more).  I think starting with a 501 will be a good start for you.

Where I really started learning was when I wanted to set up a VPN between my house and my datacenter and be able to use the Cisco VPN client to connect into either network.  First, I had to do the PIX-to-PIX tunnel.  Then I had to figure out the user tunnels and how to get those to work simultaneously.  Then I had to figure out split tunneling.  If you give yourself a project like that and start working on it, you'll learn an awful lot in a short period of time.  Also, Cisco's PIX books are pretty good, but they tend to become too vague in the VPN stuff.  Remember, Google's your friend.

<-=+=->
0
 
Joseph HornseyPresident and JanitorCommented:

Oh, yeah... one other thing.  Remember how when you were doing your CCNA stuff, you learned that the Catalyst switches have a web inteface and you can configure them using the web-based GUI?  Hopefully, you also found that it was a really bad idea to rely on the GUI because you're only tested on CLI.  The other thing is you learn it by using CLI, not GUI.

The PIX is the same way.  You can use the PIX Device Manager (PDM) to configure the PIX.  It's a web-based GUI and it's actually pretty good.  Don't succumb to the tempation of using it, though.  Do everything at the Command Line Interface.  You'll learn it faster and better if you use the CLI instead of the GUI.

<-=+=->
0
 
Rosen500Author Commented:
I have learned that Google is your bestfriend.  I think I am going to go with the PIX-501. Will I have to order any additional hardware with the PIX? memory upgrades or anything?
0
 
Joseph HornseyPresident and JanitorCommented:

Actually, that's the downside to the 501.  There are no upgrades at all (hardware, anyway... you can upgrade the number of users licenses, and you can upgrade the default encryption from DES to 3DES/AES).  So, once you get it, that's it.  You can't add an interface or memory or anything else.  For a beginner, I think this is actually an advantage.  It's a lot easier to learn because there are fewer options.

<-=+=->
0
 
Rosen500Author Commented:
That probably is a good thing.  I definitely need to keep in touch with you.  It sounds like you really know Cisco.  Thanks and the points are going to you.
0
 
Joseph HornseyPresident and JanitorCommented:
Thanks for the points and the compliment.

Regarding my "expertise", I consider myself more of an "intermediate" skill level with the PIX.  If you've got questions when you start playing with the PIX, post them to the Security/Firewalls channel.  The guys there (I'm thinking primarily of lrmoore, but there are a dozen others) are scary smart at this stuff and truly are experts.

Good luck and remember to have fun!

<-=+=->
0
 
Rosen500Author Commented:
One other question I had was that I will be able to connect the PIX 501 to a cable modem correct?
0
 
Joseph HornseyPresident and JanitorCommented:

Yes or no, depending on the cable modem.  The outside interface on the 501 is an ethernet interface.  In order for this to work, you've got to be able to deliver the internet connection over ethernet.  I'm not as familiar with cable as I am with DSL, but from what I understand, at this level it shouldn't matter.  What you want to do is put your cable/DSL modem into "transparent bridging" mode which means that it doesn't route; rather, it simply send traffic straight through from its outside interface (cable) to its inside interface (ethernet).  At that point, you'd configure your outside interface on the PIX with the IP address, subnet mask and default gateway (you can use static addresses or DHCP) that was originally assigned to the outside interface of your cable modem.

Good luck!

<-=+=->
0
 
Rosen500Author Commented:
ok. The cable modem will work fine then.  It uses ethernet.  Thanks again for the help.
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 9
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now