[TriLUG] PIX 501 questions

Jon Carnes jonc at nc.rr.com
Sat Feb 1 11:00:06 EST 2003 

No. I'm sure that whoever does your equipment ordering (or whatever
vendor you purchase from) is buying a supped-up version of the PIX 501.

If you follow the link I gave earlier in this thread you will see that
the encryption necessary to run the VPN is clearly sold as an "add-on"
license. 

===
http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/px501_ds.htm

Software Licenses

 10-User License

 The Cisco PIX 501 Firewall 10-user license supports up to 10 concurrent
source IP addresses from your internal network to traverse through the
PIX 501. The integrated DHCP server supports up to 32 DHCP leases.

 50-User License

 The Cisco PIX 501 Firewall 50-user license supports up to 50 concurrent
source IP addresses from your internal network to traverse through the
PIX 501. The integrated DHCP server supports up to 128 DHCP leases. As
your needs grow, a 10-to-50 user upgrade license is also available,
which allows you to extend your investment in PIX 501 equipment.

 3DES and DES Licenses

 The PIX 501 has two optional encryption licenses (168-bit 3DES and
56-bit DES) available either at the time of ordering the appliance, or
as an upgrade that can be purchased later. Note that US export
restrictions may apply to these licenses.

===

"Technically" it is built into the system.  You just can't use it
without first paying Cisco an exurbanite Licensing fee...

Jon Carnes

On Fri, 2003-01-31 at 23:26, Brandon L. Newport wrote:
> 
> What type of add-ons did you need...it has VPN and Firewall built in.  I
> have configured many a pix and unless you want URL filtering or something of
> that nature they are pretty easy to setup.
> 
> -brandon 
> 
> -----Original Message-----
> From: trilug-admin at trilug.org [mailto:trilug-admin at trilug.org] On Behalf Of
> Ken Mink
> Sent: Friday, January 31, 2003 10:56 AM
> To: trilug at trilug.org
> Subject: Re: [TriLUG] PIX 501 questions
> 
> 
> I was helping a friend configure a PIX that donated to a non-profit he
> worked with. After much cussing, we figured out it needed some add-ons that
> would cost way more than a small non-profit has. My friend sold the PIX and
> used the money to buy a low-end PC. We loaded Linux, set up iptables, and
> never looked back. That was my only experience with a PIX. It may not have
> been the norm. The PIX may have worked fine with the add-on software, who
> knows. I've used iptables as a corporate firewall more than once. I like the
> flexibility and the control. If you've got the physical space for the PC,
> it's the way I'd go.
> 
> Ken
> 
> On Thu, 2003-01-30 at 23:19, Glen Ford wrote:
> > Not a directly Linux related question, but I hope the good folks on 
> > this
> > list might be able to help.
> > In an effort to learn a little about Cisco Pix products I has swapped 
> > out my Linksys DSL route with a PIX 501.  I use the Linksys and now the 
> > pix as firewall between my home boxes and my RoadRunner cable modem. 
> > Pretty standard stuff.
> > 
> > 
> > I am having two problems with my PIX 501.
> > 
> > 
> > 1.  The outside interface of my PIX gets assigned by the ISP via dhcp.
> > This works for the most part, except periodically loose connectivity to 
> > my RoadRunner router.  I know this because my wife complains that she 
> > can not use the browser. I check the connection by pinging the router 
> > from the command line inside the PIX. The pings fail and I have to issue 
> > the following command to regain my connectivity."ip address outside dhcp 
> > setroute retry 5"  . This is proving to be irritating. Why does the 
> > outside PI loose connectivity to the route?
> > 
> > 
> > 2. With the Linksys I am able to use  Cisco VPN client for Linux 
> > without
> > any problems.  I.E. from server behind Linksys I am able to establish a 
> > vpn connection to my corporate network.  This is a ipsec tunnel over UDP 
> > port 500 (esp).  The Linksys passes this traffic without any problems.  
> > linux (vpn client) ---> linksys ----> vpn end-point
> > However when I use the PIX it does not work.  I know I am passing the 
> > udp port 500 traffic because I see it leaving the outside interface of 
> > the PIX.  I use debug command to see it.  I do not see any reply traffic 
> > coming pack from the vpn request.  The packets leaving the PIX are 
> > addressed with source of the outside interface and destination of my 
> > corporate vpn end point.  This all seem correct except I do not see any 
> > traffic coming back from the corporate end-point.  After some time the 
> > vpn client croaks and says that it timed out trying to make the
> connection.
> > 
> > Any help with either/both of these two questions would be much 
> > appreciated.
> > 
> > Thanks,
> > /Glen
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > _______________________________________________
> > TriLUG mailing list
> >     http://www.trilug.org/mailman/listinfo/trilug
> > TriLUG Organizational FAQ:
> >     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
> 
> 
> 
> 
> _______________________________________________
> TriLUG mailing list
>     http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
>     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html

More information about the TriLUG mailing list