Learning PIX and ASA Firewalls

Unanswered Question
Feb 13th, 2007

Hello.

I was wondering if anyone can give recommendations for learning PIX/ASA firewalls.

I have accepted a new job lately and they have a ASA appliance and would like me to handle the duties, which is great and I am really excited.

With that, I was wondering if anyone could make recommendations on how to get completely comfortable with ASA firewall.

Any recommended books?

What about purchasing a 501 PIX off ebay to play with? I know it is different, but isn't the IOS similar?

I appreciate it.

TCG

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
sachinraja Tue, 02/13/2007 - 18:00

Hello TCG

If you have already worked on PIX, ASA should be easy and its almost the same, with the new 7.x version !!! If not, you got to study some basics of firewalling, and then get to know the advance modules of ASA, if any !!!!

There are some good trainings in the URL below,

http://www.cisco.com/web/learning/le31/le29/configuring_asa_pix_security_appliances.html

You can probably start off with the basics and use this URL to build up.... you anyway, have netpro to answer to all your question, in your learning curve....

Raj

thecoffeeguy Tue, 02/13/2007 - 18:15

Thanks Raj...that was a fantastic link.

Would you recommend getting a PIX 501 off ebay just to play around in at home?

Possible to upgrade a 501 to the nex 7.x IOS?

Thanks again!

TCG

sachinraja Tue, 02/13/2007 - 19:55

Hello Jason,

PIX 501 does not support Verion 7.0... Infact the following firewalls do not support :

PIX 501, PIX 506E and PIX 520...

You can have V7.0 with PIX 515E, 525 and 535 which has atleast 16 MB of flash !!

I guess you can practice it with your live PIX/ASA in your office ;) We would learn more and be really precautious when we work with live boxes :)

Raj

daviddtran Wed, 02/14/2007 - 02:10

both version 515 and 515E will run version 7.x.

I've done it many times. The difference

between 515 and 515E is really the processor

speed and that 515E comes with built-in

VPN accelerator card. Otherwise, they are

exactly the same, AFAIK. They both will run

version 7.x for you.

David

CCIE Security

thecoffeeguy Wed, 02/14/2007 - 08:19

Thanks David for the info. I do appreciate it.

I am currently debating right now as to whether I should get a 501 or a 515 from ebay. I like the idea of a 515 since it will run version 7.x, which would be what the ASA will be running at my new job.

Would it be worth it to work on a 7.x over a 6.3 version? Is their THAT much of a difference? I have pretty much worked in a 6.1 version.

Thanks guys.

Jason

daviddtran Wed, 02/14/2007 - 10:11

Jason,

If I were you I would buy the Pix515 instead of Pix501 so that you can learn more about Pix 7.x.

Another thing is that with Pix515 (even with R

license), you still have the ability to have

physical DMZ while with Pix501, you can only

inside and outside. With Pix515, you can do

trunking but not with 501. If you decide to be

cheap, go with Pix506, that will allow you to

do trunking but pix506 will not run version

7.x code (even though I heard from the

grave vine that someone managed to load

version 7.0 beta code on a pix506)

7.x has much more feature than 6.x; however,

that being said, 7.x is much more 'buggy' than

6.3(5). That's why you see ALL 7.x code has

the label "ED" which is AKA "beta code".

Good luck to you.

David

thecoffeeguy Wed, 02/14/2007 - 10:19

Thanks David. That was excellent information and something that really helps me make a more informed decision.

Would working with a 515 and 7.x be beneficial to working with an ASA appliance? I might be wrong, but I think the ASA run the same version as PIX? The only difference is that the ASA is newer and has some extra modules that you can basically plug in?

Looks like the latest version is 7.2 just looking at the docs for both PIX and ASA.

Thanks David. That was great!

-Jason

daviddtran Wed, 02/14/2007 - 10:49

Pix does not plugged in modules and it can

not terminate SSL VPN. ASA can have plugged-in

modules such as IDS/IPS, content filtering and

you can terminate SSL VPN on the ASA. I've

never touched an ASA myself.

Strictly from the firewall perspective, Pix and ASA are the same 'cause they run the same code.

I like Pix but I like Juniper and checkpoint

firewalls even more because they are much

easier to use than pix/ASA but I am biased.

David

Actions

This Discussion