Re: IP/FW/IDS on 2611 Vs. PIX501

aung.naingoo · ‎02-13-2006

What are the pros and cons of using IP/FW/IDS on 2611 Vs. PIX501?

spremkumar · ‎02-14-2006

hi

Do revert for what kinda requirement you are checking the pros and cons of both the boxes...

Are you going only for internet access from the local lan ?

are you also interested in going on for remote access VPN ?

What about possible ipsec tunnel terminations ?

Any servers you are going to host out behind the boxes ??

regds

aung.naingoo · ‎02-14-2006

Things I would like to do are as follows:

Get internal network access to internet (which both of the pix and 2611 can)

Have a firewall blocking every incoming traffic other than allowed traffic. (Have done on pix but haven't checked on 2611 yet)

Get xxxxx ports from the external interface forwarded to local lan (have done on pix but haven't check on 2611 yet)

Allow VPN access to local LAN

Have an IDS system in place.

All of my requirements can be done with PIX501 but I have a sitting 2611 with IP/FW/IDS package on it. So I wonder whether I could use 2611 instead of PIX501. If it can be done I can spare the PIX501 for remote office.

dgloff · ‎02-14-2006

the 2611 should meet your needs. With CBAC, you only need to open holes for services you explicitly want to provide to the outside world. So Pointing TCP 80 and 443 to your web server, etc. For your internal hosts, all connectivity will work fine with a "deny ip any any" access list on the outside interface. This is because CBAC opens up temporary holes in your ACL in order to allow outbound traffic related to a particular session to return. Once the session is over, the ACE allowing that traffic is automatically removed.

Both will terminate VPN tunnels onto your corporate LAN, and both will support split tunneling (and split DNS) to enable remote users to access their local LANs. The 501 will support up to 10 tunnels total. I'm not sure how many the 2611 will support in software (should be at least 100), but if it's not sufficient, hardware VPN cards are available.

As for IDS/IPS, the signature package for the IOS FW was recently upgraded to over 300 signatures, while I believe the PIX is still at 57.

Definitely save the PIX 501 for your remote office, that's precicely what it's intended for.

aung.naingoo · ‎02-14-2006

Is there some sort of configuration reference url for FW/IDS features on 2611 with the IOS 12.3 rather than the whole complete reference on the full IOS features?

dgloff · ‎02-15-2006

I can't find a complete reference for 12.3, but here's the one for 12.0:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1830/products_feature_guide_book09186a00800881ca.html

Better than 90% of stuff should be about the same, and those that don't work will error right away so you can go find a configuration guide for that specific feature. The only one I can think of off hand is that IDS (ip audit) has been replaced by IPS (ip ips). The configuration for that, as well as any other security-related commands, can be found in the IOS Security Command Reference for 12.3T:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_command_reference_book09186a00801a7f8b.html

The dowside of this one is it's not a guide like the first, you have to know what you're looking for. So I'd go through the guide to get the basics, then use the command reference to fill in the gaps.