Get internal network access to internet (which both of the pix and 2611 can)
Have a firewall blocking every incoming traffic other than allowed traffic. (Have done on pix but haven't checked on 2611 yet)
Get xxxxx ports from the external interface forwarded to local lan (have done on pix but haven't check on 2611 yet)
Allow VPN access to local LAN
Have an IDS system in place.
All of my requirements can be done with PIX501 but I have a sitting 2611 with IP/FW/IDS package on it. So I wonder whether I could use 2611 instead of PIX501. If it can be done I can spare the PIX501 for remote office.
the 2611 should meet your needs. With CBAC, you only need to open holes for services you explicitly want to provide to the outside world. So Pointing TCP 80 and 443 to your web server, etc. For your internal hosts, all connectivity will work fine with a "deny ip any any" access list on the outside interface. This is because CBAC opens up temporary holes in your ACL in order to allow outbound traffic related to a particular session to return. Once the session is over, the ACE allowing that traffic is automatically removed.
Both will terminate VPN tunnels onto your corporate LAN, and both will support split tunneling (and split DNS) to enable remote users to access their local LANs. The 501 will support up to 10 tunnels total. I'm not sure how many the 2611 will support in software (should be at least 100), but if it's not sufficient, hardware VPN cards are available.
As for IDS/IPS, the signature package for the IOS FW was recently upgraded to over 300 signatures, while I believe the PIX is still at 57.
Definitely save the PIX 501 for your remote office, that's precicely what it's intended for.
Better than 90% of stuff should be about the same, and those that don't work will error right away so you can go find a configuration guide for that specific feature. The only one I can think of off hand is that IDS (ip audit) has been replaced by IPS (ip ips). The configuration for that, as well as any other security-related commands, can be found in the IOS Security Command Reference for 12.3T:
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...