Friday, 16 January 2015

The Pix arrived

A big van pulled up and I was halfway to the door before the driver got out.

The box was a lot heavier that I expected. I have a pix 515, and I thought that the 525 would be the same thing, with a faster CPU, a bit more memory and more advanced software. But it isn't, it's a big heavy box (32 pounds), It has four 80mm fans cooling the inside; which is total overkill, but on a device as crucial as a firewall, overkill is very good.

First I looked at the documentation, and to my dismay, it was for a Juniper Router. Oh no! But a quick check of the box said "Cisco" and it has ten ethernet ports, as I expected.

So I powered it up, connected a serial cable to a computer (9600 baud), and up it came! It displayed its banner, and I learned that it has version 7.2 of the software. So I ran setup and gave it an IP address, and told it the IP address of the computer I'll use to manage it. And it wouldn't ping. Ugh.

After a lot of fumbling around (and it could have been far worse), I found, pretty much by accident, that it was thinking of itself as a standby device, not as the primary. And after a lot more fumbling, I hit on "FAILOVER ACTIVE" which made it come alive to my pings. Maybe there's a way to make it assume that on power-up?

It was set up with factory defaults, so I knew the passwords, which I changed immediately, and they're written down on a label on the pix, on the grounds that if someone gets close enough to steal the pix, I'm stuffed anyway.

A bit of bad news - the old "conduit" command (which is what I'm used to) has been replaced by "access-list", but the syntax is actually the same. And I found a manual for the software version 7.2

Since it has ten ethernet ports, I was going to use some of them. Port 0 is for the outside to connect to, that will go to the router when the new line arrives. Port 1 is "inside", that will go to the house network, and will have the highest security level (100), because no-one outside should have access to that. Next is port 2, security level 80, that's for servers that collect important data, but which the outside world needs limited access to (so they can send that data). Then level 50, which will be all the utility servers (email, DNS etc) that the outside world needs some access to (otherwise I don't get any email), and finally level 10, which will be the servers that will be heavily used by the outside world, and which don't have any important (to me) data on. So of the ten ports available, I'll only be using five, but that's fine.

The really good news, is that there's a very fine web-based system for setting things up, so I don't have to strain my brain working things out, and yet there's also a command line interface, so that once I've seen how to do a command (by setting it up with the web interface) I can just copy it for other servers that need a similar command. Very nice.

So, altogether, I'm very pleased with this Pix 525 that cost £45 and is worth twenty times as much. I checked on Amazon, a new pix 525 is $15,000.

Now I have a watch set on Ebay to get another one!

No comments:

Post a Comment