Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 359
  • Last Modified:

ASA & PIX FIREWALL - QUERY

Hi Im of the understanding that 'PIX Firewall' was upgraded to what is now known as 'ASA' - Is this true?

Is this 'PIX or ASA' firewall a feature that can be configured on Cisco routers of any sort or does a particular piece of equipment have to be brought?

If so I have some equipment I use just for learning curver:

2500
2600
3600
2950
3550
0
mikey250
Asked:
mikey250
  • 8
  • 6
5 Solutions
 
Ernie BeekCommented:
The ASA is a dedicated hardware firewall, so It's a separate device. The PIX was its predecessor but those are end of life now.
0
 
jmeggersCommented:
Much of the ASA code is evolved from the PIX code, but things have been added that give it capabilities well beyond what the PIX could do.
0
 
mikey250Author Commented:
Ok.  So presumably then if I have no firewalls in place I would have to basically block everything I need to block myself via command line or even the 'CBAC', that I have in my book?
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
Ernie BeekCommented:
Well yes. But for routers there is also an IOS firewall version (if you can get a hold of that). That is a bit more elaborate that a normal version with just access lists.
0
 
mikey250Author Commented:
Not sure what you mean when you say 'yes but for routers there is 'also an IOS firewall version'.

Ive checked the following of what I have:

- 2500 - Does not have 'ip inspect' capability which is a way of checking if router has this according to instruction found on internet..
- 2650 - Does show options
- 3640 - Does show options
- 3620 - Does show options

Ive tried to see if I could download a version which I thought it was but I have to pay... Ive no cash so cannot do so I hope that the above will.

Im assuming 'CBAC' only works on the above types of router otherwise it wont work..?
0
 
Ernie BeekCommented:
That's the thing, you need to pay for a new software image (or google very well ;)

Im assuming 'CBAC' only works on the above types of router otherwise it wont work..?
Do you mean, if it shows the options it should work (so not on the 2500)? If so then yes, those three should be able.
0
 
mikey250Author Commented:
Hi,  No not got money at moment, Im not even sure how much as a rough estimate it would cost as never ever bought a software image from this site.... unless you know?

Im not sure where else to look in google for the software....!

the 2500 does not recognise the 'ip inspect' command but yes the others do..

So if I follow my instructions I have to configure this CBAC obviously around my test network Im assuming this is enough to block the main stuff unless I've installed some software that needs to use a specific port then I would maybe add this aswell?

My CBAC instructions are based around a network diagram of a 'dmz, internal & external to ISP...

So this other IOS Firewall Im assuming offers more than CBAC, but in a GUI form ?
0
 
Ernie BeekCommented:
I wouldn't worry too much about this. CBAC is an IOS firewall feature so it looks like you have images already there you can work with. The version I was referring to also uses 'zone based' firewalling which it looks like you don't need at the moment.
In your test network you should only need to implement CBAC at the edge router (the one connecting to internet) so you should be fine with the equipment you have.
Afaik there are number of applications defined for CBAC. You can configure it to use a non default port but you can't create inspection for a 'new' protocol.
0
 
mikey250Author Commented:
Ok no problem!!!

Looking at my lab which I have done in the passed but didn't quite understand then but do now.. has all configs on the Router separated as the DMS Fa0/0 & Internal network Fa0/1 and from this router it is connected via serial connection to another router that acts as the ISP.  The only config on this router is 2 static routes pointing specifically to the DMZ & Internal network..is how this is rather than the 'edge' router as you put it, but I suppose this does not matter as if there was a 3rd Fa0/2 on same router then this could be connected to my ISP for the internet access...!
0
 
mikey250Author Commented:
Come to think of it 'Yes' you are right the 'edge router', as it is only because I have added another router to act as the ISP...
0
 
mikey250Author Commented:
Ive attached my configs if thats ok for you to look over...

Vista/DMZ/Internal network
sh run
Building configuration...

Current configuration : 2798 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname vista
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
ip cef
!
ip inspect udp idle-time 1800
ip inspect dns-timeout 15
ip inspect name STANDARD ftp
ip inspect name STANDARD http
ip inspect name STANDARD sqlnet
ip inspect name STANDARD smtp
ip inspect name STANDARD tcp
ip inspect name STANDARD tftp
ip inspect name STANDARD udp
ip inspect name STANDARD realaudio
ip audit po max-events 100
!
 
!
!
!
!
interface Serial0/0
 ip unnumbered FastEthernet1/0
 ip access-group 121 in
 ip access-group 122 out
 ip inspect STANDARD in
 no fair-queue
!
interface Serial0/1
 no ip address
 shutdown
!
interface Serial0/2
 no ip address
 shutdown
!
interface Serial0/3
 no ip address
 shutdown
!
interface FastEthernet1/0
 ip address 172.16.1.1 255.255.255.0
 ip access-group 111 in
 ip access-group 112 out
 duplex auto
 speed auto
!
interface FastEthernet1/1
 ip address 172.17.1.1 255.255.255.0
 ip access-group 101 in
 ip access-group 102 out
 ip inspect STANDARD in
 duplex auto
 speed auto
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
!
!
access-list 101 permit ip 172.17.1.0 0.0.0.255 any
access-list 101 deny   ip any any
access-list 102 permit icmp any any administratively-prohibited
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any packet-too-big
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 deny   ip any any
access-list 111 permit ip 172.16.1.0 0.0.0.255 any
access-list 111 deny   ip any any
access-list 112 permit udp any host 172.16.1.2 eq domain
access-list 112 permit tcp any host 172.16.1.2 eq domain
access-list 112 permit tcp any host 172.16.1.2 eq ftp
access-list 112 permit tcp any host 172.16.1.2 eq smtp
access-list 112 permit tcp any host 172.16.1.1 eq www
access-list 112 permit tcp 172.17.1.0 0.0.0.255 host 172.16.1.2 eq pop3
access-list 112 permit tcp 172.17.1.0 0.0.0.255 any eq telnet
access-list 112 permit icmp any any administratively-prohibited
access-list 112 permit icmp any any echo-reply
access-list 112 permit icmp any any packet-too-big
access-list 112 permit icmp any any time-exceeded
access-list 112 permit icmp any any unreachable
access-list 112 deny   ip any any
access-list 121 deny   ip 172.17.1.0 0.0.0.255 any
access-list 121 permit ip any any
access-list 122 permit icmp any any echo-reply
access-list 122 permit icmp any any time-exceeded
access-list 122 deny   ip 172.16.1.0 0.0.0.255 any
access-list 122 permit ip any any
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 exec-timeout 1 20
 password cisco
 login
!
!
end

vista#
---------------------------------------------
Sanjose1/ISP
sh run
Building configuration...

Current configuration : 950 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname SANJOSE1
!
!
ip subnet-zero
!
!
!
call rsvp-sync
!
!
!
interface BRI0/0
 no ip address
 shutdown
!
interface Ethernet0/0
 no ip address
 full-duplex
!
interface TokenRing0/0
 no ip address
 shutdown
 ring-speed 16
!
interface BRI0/1
 no ip address
 shutdown
!
interface FastEthernet1/0
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
!
 interface Serial1/0
 ip unnumbered FastEthernet1/0
 clockrate 56000
!
interface FastEthernet1/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial1/1
 no ip address
 shutdown
 clockrate 2000000
!
ip classless
ip route 172.16.1.0 255.255.255.0 Serial1/0
ip route 172.17.1.0 255.255.255.0 Serial1/0
no ip http server
ip pim bidir-enable
!
!
dial-peer cor custom
!
!
!
!
line con 0
line aux 0
line vty 0 4
 exec-timeout 1 20
 password cisco
 login
!
end

SANJOSE1#
0
 
Ernie BeekCommented:
:)
0
 
mikey250Author Commented:
Ok good..!!!thanks for advice..  oh yeh do you know the cost of those other IOS Firewalls you mentioned earlier, £100 or £1000 for eg?
0
 
Ernie BeekCommented:
Oops, crosspost with your config. Looking good though at first glance (from a little mobile screen ;). Not sure though if it is really necessary to inspect on both the in- and outside interface.

Pricing.......... Don't really know. A quick google shows prices like $300-$400 for an upgrade but I think that also depends on your current version.
0
 
mikey250Author Commented:
ok......appreciated.. That was the lab I have so it is a good guide I suppose as I understand why..
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

  • 8
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now