MousePad
join:2005-01-08
Jonquiere, QC
 ·Videotron
| [Config] PIX best practices
Hello guys,
We just got a PIX 525 at work, and I have to configure it. Now... I'm a IOS kinda guy, and since I never touched a PIX before, I went on and put PIX OS 7.01 on it.
Now, I do understand a lot of the principles behind firewalls and security... Still some things to learn, but the question I have now is this: How do I configure the thing correctly? What features should I use to make the most of it, make my life easier managing it? What are the best practices...
I don't need a step by step guide, just some pointers... Maybe explain a thing or two... Links of stuff available on the net...
I've googled a lot, but could not find much...
Any help pushing me in the right direction would be appreciated...
Thanks in advance  |
|
Phraxos
Premium
join:2004-06-12
UK | Use ASDM, should cover most (if not all, of what you need).
BTW, did you really put 7.01 on it or 7.1 (which is the current version)? |
|
MousePad
join:2005-01-08
Jonquiere, QC
·Videotron
| Hello Phraxos,
I thought about ASDM, but I'd rather do it with the CLI... I don't like web interfaces
I have 7.01 right now... I'm looking in acquiring 7.04, which is the latest version...
Thanks for the answer |
|
Phraxos
Premium
join:2004-06-12
UK
| 7.1.1 is the latest version, it was released on 6th February with ASDM 5.1.1
I fully understand what you say about CLI. It feels like you have more control, you know exactly what you are doing and it offers greater flexibility. When I got my (first) PIX 6 months ago I thought, "I'll get the basic setup done with ASDM then start tailoring it with CLI once I've picked up the basics". Just like I did when I first got a Cisco router.
Since then I've lost all inclination to do anthing with the command line - I just don't need to touch it and I can do the sort of things you need to do with a PIX much quicker with ASDM.
I think that is the key; a PIX isn't a router! Most of what you do is messing with access-lists and quite frankly it is a lot more pleasurable doing this in a graphical environment than by command line, especially when you are talking about reordering lists and and editing existing entries. A true professional isn't a snob about what tools he uses, he uses the best tool for the job 
Of course, having said all that, you can do whatever you like  |
|
MousePad
join:2005-01-08
Jonquiere, QC
·Videotron
| reply to MousePad
What's the status of 7.1.1 bug-wise? Is it stable? You should've seen the face of the consultant when I talked about 7.0.1
I'll install ASDM and see what I can make of it, and then decide... I've always loved the CLI with Cisco stuff, since it's much easier to access than a web page... Be dependent on a computer that has a browser on it... I know that sounds strange, but so much more can go wrong with a browser than with a terminal emulator
I'll let you know how it turns out
Thanks |
|
Phraxos
Premium
join:2004-06-12
UK
| 7 was a big change for Cisco so it was bound to be full of bugs......and was!
I started with 7.04 which had no problems for me and have upgraded to 7.1.1 without incidence (and it has removed one small issue for me).
My greatest disappointment so far is that the ability to control messanger services like msn and yahoo (trumpeted as one of the great new features of PIX 7) STILL doesn't work (bug CSCsb41742) 
I too have problems running SDM from far too many PCs but so far haven't had any problems with ASDM.
Don't get me wrong about CLI, I think it's fantastic for routers and was anticipating the same for the PIX - it just hasn't happended that way for me. I would be interested to hear how you feel in a few months time. |
|
MousePad
join:2005-01-08
Jonquiere, QC
·Videotron
| Okay, great... I'll know what to expect with 7.11.
For MSN and Yahoo, I use routes that point to nothing for both services IP addresses... Google tells me which IPs to put in the route...
I feel as you do about the CLI I just didn't have the chance to work with a PIX for some time yet... We'll see... But our firewall is currently a Novell Bordermanager 3.7 for now... It's close to a CLI... So I don't anticipate any problems.. But I'll try both ways...
I'll let you know |
|
