Latest PIX software that can be used for Production

Hi Cisco Experts,

I need help in deciding the best software to use on PIX 525E in Production Environment.

I was bit confused at the versions
----------------------
The latest releases currently avaliable are
pix721.bin
PIX OS version 7.2(1)       7.2.1.ED      31-MAY-2006

asdm-505.bin
Cisco Adaptive Security Device Manager for PIX 7.0       5.0.5      14-APR-2006

pix705.bin
PIX OS version 7.0(5)       7.0.5.ED      14-APR-2006
asdm-512.bin
Cisco Adaptive Security Device Manager for PIX 7.1       5.1.2      15-MAR-2006

pix712.bin
PIX OS version 7.1(2)       7.1.2.ED      15-MAR-2006

asdm-511.bin
Cisco Adaptive Security Device Manager for PIX 7.1       5.1.1      06-FEB-2006
pix711.bin

PIX OS version 7.1(1)       7.1.1.ED      06-FEB-2006

asdm-504.bin                    5.0.4      15-OCT-2005

pix704.bin
PIX OS version 7.0(4)       7.0.4.ED      15-OCT-2005
------------------------------

Currently i Have 7.0(4) with ASDM 504
The latest is 7.21 and before that 7.12 but both are ED(Early Deployment)Versions

So which one do you think would be a stable Version with Fair improvement in Feature Set?

regards
Naren

LVL 12
r_naren22atyahooAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
lrmooreConnect With a Mentor Commented:
7.0(4) is pretty stable and I wouldn't recommend upgrading unless there is a specific reason you think you  need to.
I would have no reservations upgrading to 7.0(5) and ASDM 5.0.5

I am running 7.0(5) and 7.1(2) both in production environments and have had no issues.
0
 
giltjrConnect With a Mentor Commented:
Is there any reason you want to upgrade?  We just TRIED 7.2(1) and 7.1(2) and had to back out to 7.0(2).

We did not realize it until after we backed to 7.0(2), but there was some changes in how PIX handled sending out RST's and this was causing our 525E's to hit 100% CPU utilization for long enough that the failover unit thought the active unit crashed and it tried to take over.  What a mess.    We found that the change was in 7.0(5) and with a new option, resetoutbound, which is enabled by default.    The release notes for 7.0(5) are very confusing because they seemed to have typoed and it implies that there is a new option resetinbound, which has been around.  The new option is resetoutbound.  They have changed resetinbound so that you can specify by interface what you want to do.


Now that we know what is going on (we think) we are going to try 7.2(1) again, in a couple of weeks.
0
 
r_naren22atyahooAuthor Commented:
First, Thanks for the comment :)

7.0(4) with ASDM 504 has some issues with the Logging and Monitoring, we dont have many options there.
We actually use 2 525s with Active-FailOver Configuration.

So i thought that 7.21 or 7.12 has this options., Do you know any of those???

We use only the ASDM to configure the PIX, as the Configuration is complecated.

I didnt get the RST part, what is it about?

regards
Naren


0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

 
r_naren22atyahooAuthor Commented:
Thanks Irmoore,

Mostly looking at the Logging side. with ASDM
0
 
lrmooreCommented:
I noticed that the home page of the ASDM interface let you stretch the log window to see more at once and I thought that was an improvement over the PDM which did not let you do that. Imagine my surprise when asdm 5.04 broke it and wouldn't stretch any more. 5.05 fixed it again so you can stretch the window again.
0
 
r_naren22atyahooAuthor Commented:
giltjr, Do you know any known features for logging and monitoring?
0
 
lrmooreCommented:
Have you considered a dedicated syslog server and syslog reporter sofware?
0
 
r_naren22atyahooAuthor Commented:
The syslog server on PIX transfer the log files to an FTP server, we have other software to analyse those files
0
 
r_naren22atyahooAuthor Commented:
>>you do that. Imagine my surprise when asdm 5.04 broke it and wouldn't stretch any more. 5.05 fixed it again so you can stretch the window again.
I would go for the new version for this option :)
0
 
r_naren22atyahooAuthor Commented:
Thanks for the Info guys, it was helpful...
However i just saw the ASDM 521 Demo Version on the Cisco Site, its prety impressive and easy to manage

We have problems with 7.04 not exactly with 7.04 but with ASDM 504,
We had Groups and objects, it was little confusing with the access rules on ADSM 504, ASDM 521 is much better.
and also the "packet tracer" thats a good tool.

I am going upgrade to ASDM 521.

One Last question.
Is Cisco TAC Support supporting the 7.21???
Coz all the version i.e
7.04, 7.12 and 7.21 are ED(Early Deployment) Version. Except 6.3(5).

Thanks
Naren
0
 
giltjrCommented:
From what we can tell 7.0.(4) and older would quitely drop packets that were denied.  With 7.0(5) it seems  that the default is to send a RST for packets that are denied.  

I would assume that if you only get a few deny's this is not that bad, but if you get a lot it would cause problems.  With the new code we were seeing CPU at 100% for 40-60 seconds and then the fun started.

Logging and monitoing what?

We are using ASDM  to keep an eye on CPU utilization.  
0
All Courses

From novice to tech pro — start learning today.