Rosen500
asked on
Learn Cisco PIX or Switch/Router
I am trying to see which would be better for me to learn. I have my CCNA so I have worked with switches and routers for testing purposes. I haven't touched PIX yet and was wondering if I should learn that as well? I know Cisco is used in large companies and I want to make myself marketable if I should apply for a job. I am looking for suggestions and if you don't mind, please suggest a Cisco product that you would recommend for me to use for testing and learning purposes.
Thanks
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
How many users do you have?
<-=+=->
<-=+=->
ASKER
This will be just for me learning it for now. I would be using this in a test environment.
Then I'd go with a used PIX off of eBay.... Look for the part number PIX-501-K9-BUN= (I think)... it's a 10-user license and you should be able to get one used for around $250 or so.
<-=+=->
ASKER
Cool. So If I start learning PIX-501 this will help me work with the other Cisco firewalls?
Definitely. At least on the 6.x series of PIX IOS - they were the EXACT same software as on the 515s, 525s, etc. I'm not sure about the 7.x series of PIX IOS... I just got this brand new 501 and I haven't started playing with it yet... I don't know if these come with the 7.x version or not. I'll let you know in a few minutes.
Also, keep in mind that Cisco is rebranding the PIX series right now, but I think that the internals are the same.
<-=+=->
Also, keep in mind that Cisco is rebranding the PIX series right now, but I think that the internals are the same.
<-=+=->
ASKER
OK. Would you recommend me starting out with the 6.x version instead of the 7.x version? I appreciate your help. You have been very helpful
No worries; it's my pleasure.
I can't advise you on 6.x vs. 7.x because I haven't played with 7.x yet. This 501 I just got has 6.3(5). We've got a 7.0 image for our 515e, but I haven't loaded it yet because we had to buy a memory upgrade (which, now that I think about it, should have clued me in to the fact that a 501 isn't going to handle 7.x IOS images) and I haven't installed the memory yet. I'm going to do that on Friday, I think.
Anyway, 6.x IOS is a great place to start... the fundamentals aren't going to change and you've got to start somewhere. To run 7.0, you're going to have to get a 515 (used on eBay will be around $1500 or more) plus the 128MB upgrade (another $200 or more). I think starting with a 501 will be a good start for you.
Where I really started learning was when I wanted to set up a VPN between my house and my datacenter and be able to use the Cisco VPN client to connect into either network. First, I had to do the PIX-to-PIX tunnel. Then I had to figure out the user tunnels and how to get those to work simultaneously. Then I had to figure out split tunneling. If you give yourself a project like that and start working on it, you'll learn an awful lot in a short period of time. Also, Cisco's PIX books are pretty good, but they tend to become too vague in the VPN stuff. Remember, Google's your friend.
<-=+=->
I can't advise you on 6.x vs. 7.x because I haven't played with 7.x yet. This 501 I just got has 6.3(5). We've got a 7.0 image for our 515e, but I haven't loaded it yet because we had to buy a memory upgrade (which, now that I think about it, should have clued me in to the fact that a 501 isn't going to handle 7.x IOS images) and I haven't installed the memory yet. I'm going to do that on Friday, I think.
Anyway, 6.x IOS is a great place to start... the fundamentals aren't going to change and you've got to start somewhere. To run 7.0, you're going to have to get a 515 (used on eBay will be around $1500 or more) plus the 128MB upgrade (another $200 or more). I think starting with a 501 will be a good start for you.
Where I really started learning was when I wanted to set up a VPN between my house and my datacenter and be able to use the Cisco VPN client to connect into either network. First, I had to do the PIX-to-PIX tunnel. Then I had to figure out the user tunnels and how to get those to work simultaneously. Then I had to figure out split tunneling. If you give yourself a project like that and start working on it, you'll learn an awful lot in a short period of time. Also, Cisco's PIX books are pretty good, but they tend to become too vague in the VPN stuff. Remember, Google's your friend.
<-=+=->
Oh, yeah... one other thing. Remember how when you were doing your CCNA stuff, you learned that the Catalyst switches have a web inteface and you can configure them using the web-based GUI? Hopefully, you also found that it was a really bad idea to rely on the GUI because you're only tested on CLI. The other thing is you learn it by using CLI, not GUI.
The PIX is the same way. You can use the PIX Device Manager (PDM) to configure the PIX. It's a web-based GUI and it's actually pretty good. Don't succumb to the tempation of using it, though. Do everything at the Command Line Interface. You'll learn it faster and better if you use the CLI instead of the GUI.
<-=+=->
ASKER
I have learned that Google is your bestfriend. I think I am going to go with the PIX-501. Will I have to order any additional hardware with the PIX? memory upgrades or anything?
Actually, that's the downside to the 501. There are no upgrades at all (hardware, anyway... you can upgrade the number of users licenses, and you can upgrade the default encryption from DES to 3DES/AES). So, once you get it, that's it. You can't add an interface or memory or anything else. For a beginner, I think this is actually an advantage. It's a lot easier to learn because there are fewer options.
<-=+=->
ASKER
That probably is a good thing. I definitely need to keep in touch with you. It sounds like you really know Cisco. Thanks and the points are going to you.
Thanks for the points and the compliment.
Regarding my "expertise", I consider myself more of an "intermediate" skill level with the PIX. If you've got questions when you start playing with the PIX, post them to the Security/Firewalls channel. The guys there (I'm thinking primarily of lrmoore, but there are a dozen others) are scary smart at this stuff and truly are experts.
Good luck and remember to have fun!
<-=+=->
Regarding my "expertise", I consider myself more of an "intermediate" skill level with the PIX. If you've got questions when you start playing with the PIX, post them to the Security/Firewalls channel. The guys there (I'm thinking primarily of lrmoore, but there are a dozen others) are scary smart at this stuff and truly are experts.
Good luck and remember to have fun!
<-=+=->
ASKER
One other question I had was that I will be able to connect the PIX 501 to a cable modem correct?
Yes or no, depending on the cable modem. The outside interface on the 501 is an ethernet interface. In order for this to work, you've got to be able to deliver the internet connection over ethernet. I'm not as familiar with cable as I am with DSL, but from what I understand, at this level it shouldn't matter. What you want to do is put your cable/DSL modem into "transparent bridging" mode which means that it doesn't route; rather, it simply send traffic straight through from its outside interface (cable) to its inside interface (ethernet). At that point, you'd configure your outside interface on the PIX with the IP address, subnet mask and default gateway (you can use static addresses or DHCP) that was originally assigned to the outside interface of your cable modem.
Good luck!
<-=+=->
ASKER
ok. The cable modem will work fine then. It uses ethernet. Thanks again for the help.
ASKER