[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Pix 501 or Cisco 800 ?

Posted on 2006-07-13
9
Medium Priority
?
402 Views
Last Modified: 2008-01-16
I work for a company that provides network support for SME's.

Currently we have a fairly standard set up that we install at the perimetre for most clients - we use a PIX 501 and a cheapy netgear ADSL router (of whatever variety is available that month, as they seem to change at a rapid rate)

This generally works - I particularly like the PIX for the following reasons:

1: No-nonsense vpn client. Easily configured & supported.
2: Decent nat-traversal support for IPSEC so that people can connect to the vpn over gprs, 3g etc
3: Ability to connect to radius for authentication of vpn clients

Recently I've had a few issues with the netgears, mainly firmware things to do with them not correctly routing public IP's on the lan interface, and they are generally a cheapy crappy unit - seem prone to overheating and general crashes. Probably fine for home - but I don't think they are really business class.

I'm considering getting a Cisco 800 series adsl router so that we can combine this functionality into one reliable unit.

Will the 827 be a suitable replacement for both boxes (pix&netgear), or am I missing something?

 

0
Comment
Question by:heathcote123
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 17098000
>>Will the 827 be a suitable replacement for both boxes (pix&netgear), or am I missing something?

Note a PIX cannot  route (default route stament doesnt count :)
But a router is NOT a firewall - yeah higher end routers can take a firewallIOS if its supported on that model.

So YES  you can just put in an 800 series - but then you will loose the protection of a PIX - ICMP blocking, statefull inspection, floodguard etc etc
0
 
LVL 5

Author Comment

by:heathcote123
ID: 17098261
Thanks for anwsering.

I'd be looking at getting one with the following feature pack:

Cisco 827v Series IOS IP/FW Plus IPSec 3DES

Cisco's blurb (http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122relnt/800/rn800xd.htm)

Says it has stateful firewall, and also denial of service detecion - how does this differ from floodguard?

regarding the ICMP blocking, does this mean you cannot control inbound/outbound pings etc from an access list as you can with the pix? I'm not sure if this bothers me that much if true. (Maybe I'm not being paranoid enough!)



0
 
LVL 5

Author Comment

by:heathcote123
ID: 17098368
It seems 12.4 has stateful ICMP inspection too now.
(http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455b0d.html)

Does anyone have any experience with the VPN side of things - does the nat traversal work OK over 3g?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 32

Expert Comment

by:rsivanandan
ID: 17099819
If you enable CBAC you get all the features that ASA provides (CBAC for router is ASA for PIX). But thinking about it, the question should be like this;

1. Do you want a firewall or a router with firewall capability?

I understand the relation and problems of having the netgear or whatever equipment you put out there. But 8xx can't provide you the rigid integrity that PIX provides.

In essence, if your netgear goes off, pay 30 bucks and get another one, which sounds cheap and better to me instead of paying more...

2. Configuration and maintenance. Configuring and maintaining the Router for CBAC can be disturbing and difficult. On the other hand, any standard configuration will give a fair idea of what the PIX is gonna do.

3. Encryption and VPN Capabilities. PIX is much better to handle encrypted traffic and can have more VPN sessions but Router is not that. Remember that Firewall feature set is an add-on to the Router but PIX is purpose built firewall.

4. 3G, Nat traversal would work both on the router and PIX as well. Not an issue.

Cheers,
Rajesh
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17099838
Oh and yeah, if you enable CBAC, you get all the statefullness and ICMP tuning etc.. Not an issue on that front too. It is all about what is easier, Better and economic.

Cheers,
Rajesh
0
 
LVL 5

Author Comment

by:heathcote123
ID: 17120709
I'd just really like to get the same functionality as I currently have into one reliable box.

If configured correctly, is there any reason as to why it would be less secure than  the pix ?
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 2000 total points
ID: 17120868
I was trying to make a point that the fact is;

PIX -> Purpose built firewall.

Router -> Purpose built Router with firewall capabilities.

Like when a new feature for a firewall feature set is rolled out, it won't be available for you on the router ON the same date. There is that implementation/porting lag.

One example I can give you right now is the IOS IDS/IPS feature set. It was there in Cisco's bag and even ASA series have it built-in but router's were introduced to this very recently and they don't scale well.

See what I am talking about ?

Cheers,
Rajesh
0
 
LVL 5

Author Comment

by:heathcote123
ID: 17120893
Thats great thanks for your advice.

I think I'll give the 800 a try.

0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17120910
Gr8. Lets see how it does.. wouldn't be bad, I'm sure..

Cheers,
Rajesh
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question