Tuesday, 27 January 2015

I love this Pix 525

What's so nice about it is A) ASDM, the web-based user interface, which is *so* much easier than struggling with unfamiliar (to me) pix command line syntax, and B) the packet tracer, which lets me set up a set of access rules and NATs, and then lets me test to see if they work, without actually having to do it for real. Of course, I don't fully trust this simulation, but it certainly has helped me find a whole bunch of wrong thngs that I've done. And it's helped me understand the pix a lot better.

Of course, I can't use this 525 for real - that's why I got a couple of Pix 515E boxes. But the pix 515E that I have, doesn't have ASDM, and since it's no longer supported by Cisco, I don't think I'll be able to get ASDM for it.

Still - there's a workaround. I'm using the pix 525, via ASDM, to set up my configuration. And when it's ready, I can do a "conf term" to blurt out a text file, which I can then paste into the pix 515E to give me the same configuration.

So why can't I  use the pix 525 and forget the 515E? Because of the licensing. The unit I got, has a Failover licence. When I bought it, I didn't realise the implication of that - and that's probably part of the reason it was so cheap. The problem is that it reboots ever 24 hours. That's because Cisco don't want me to use it as my main firewall, they want me to shell out a lot more money for an "unrestricted" licence.

But I had a think. Yes, it reboots every 24 hours, but after the reboot, it's working fine. And I timed it, a reboot takes less than a minute. So out of every 1440 minutes, it's unavailable for 1 minute. That's better than 99.9% availability!

On the downside, when it reboots, all the connections are ended. So if I'm logged on to a remote computer, when the pix reboots, I'm suddenly not logged on, which might be annoying - I just have to log on again, no big deal. But since most of what I'm doing doesn't rely on continuous connection, maybe that won't matter. The 24-hourly reboot would be very unacceptable to a corporate IT center; they'd get a *lot* of complaints. But I think it might well work fine for me.

Still, I have the pix 515E, I'll use it. But it's nice to know that I can actually use the 525 as a fallback.


  1. Or set the 525 to reboot at a time when you'll almost definitely not be using it, e.g. 3am or similar.

    Enjoying this series of networking posts, by the way!

  2. The next one will be a doozy!