Saturday 15 December 2012

Configuring the pix

I wanted to replace the Sonicwall firewall with a pix.

I actually use three firewalls here; the main one, and two Sonicwalls to give extra walling to particular segments. One problem with the Sonicwalls I use, is that they only allow 20-odd rules, which really isn't much, unless you're a home user. And I have a couple of Pixes that haven't been used for a couple of years, so I thought I'd get those into action.

The Cisco Pix is a Real Firewall, not a puny one like the Sonicwalls I've been using. They're amazingly cheap if you buy them second hand on Ebay, because home users wouldn't want one, and corporates wouldn't buy second hand.

So I started to configure it to do the job I want. it turned out to be far more difficult than I'd thought, involving the use of access-lists. And I didn't press the button on the ethernet switch that crossed the cable, because it's an old switch, modern ones auto-detect, and I'd forgotten about needing to do it.

And after about two solid days of struggle, I've still only got it partially working, but I'm so close now, so close ... just a couple more issues to deal with ...

I've fallen back on the old Sonicwall for now, but I think its days are numbered.

I've also bought a USB ethernet device, so I can have two ethernet ports on a Raspberry Pi. If I have two ethernet ports, then I'm pretty sure I can turn it into a firewall, which (I think) will be a lot easier to configure than a Pix. I've done this before, using three ethernet cards in one computer to make a three-segment firewall (Lan, Wan and DMZ). 

So now it's a race. Will I get the Pix configutred before I make a homebrew firewall?


  1. As someone who works on an ASA, just a glorified PIX, frequently, I can't imagine deciding to use one at home. I'm just so much more at home on a nice Linux box with iptables or the like :) I imagine you're the same way.

    Also, dang, spammers.

    1. "Use one at home" is a bit incorrect. Yes, I live here. But so do about 100 computers. I'm not just a hobby user!

      Yes, iptables is nice, but I'm very unkeen on running a firewall on the computer that's being firewalled, I want it on a separate box.

      For me, the advantage of a pix over a linux box doing the same job, is that in my experience, pixes never crash, or develop a bad hard drive, or a faulty power supply, whereas PCs do. The problem is that anything with moving parts.

      And that's why I'm contemplating using a Raspberry Pi as a firewall.

      But I think I've made a breakthrough on why I couldn't get the pix working. If my theory is right, I *did* have it working, but ...

      When I test the theory out, if I'm right, I'll post the details.

      And if I get more spammers, I might have to use a captcha to keep them off.