The Pix 515
Firewall was one of the cooler pieces of
equipment I got to work with at my last job. It is the smaller of
Cisco's PIX firewall devices (the other being the Pix 520). The unit is one rack unit tall and includes two
fast ethernet interfaces. I had it sitting between a router that provided
internet feed and a router that operated an eleven location
frame relay network. For some reason I'm drawing a complete blank for it's umpteen features, some of which are:
Two PCI expansion slots
Can be plugged into an identical Pix and set up for failover
Supports up to six interfaces
Handles
VPN with
IPSEC (using
TACACS for authentication),
DMZ's,
NAT and many other abbrieviations
It is set up using wonderful
plain text, through a
terminal or
telnet. There is some sort of
GUI 'Firewall Manager' for it that runs on
NT but I never bothered to try it. Getting the thing to work boiled down to configuring your interfaces then defining what traffic the interfaces could send/recieve from each other. Then you could define a
NAT to allow inside users
Internet access. Putting servers on the internet (
Citrix,
email, etc) is super easy as well, you just create a "static" and a "conduit" which allows traffic to a certain IP address to be sent to a specific machine.
All of this is covered in it's great instruction manual. I knew nothing about Cisco firewalls and had it doing a
NAT in an hour or less (including the software upgrade).
I think the thing cost just over $10,000, with a 65,000 connection license.
The first Pix we bought was actually bad. It would work until you put a severe load on it, then it would
crash. For a few months, before it went into
production, I was the only one who could access the Pix and the new Internet T1 from their
desktop. (everybody else was using a crappy 384k connection which was also handling the whole
WAN, hehe)
All I had to do to crash it was open up
Newsbin, the thing just couldn't handle a whole
T-1 worth the traffic. As per Cisco's tech support I got to open it up, which was neat. It's just a motherboard with an
Intel Pentium 200 processor ("with
MMX technology!"). We got a replacement from Cisco within a week.
A neat trick is adding more interfaces. If you want more connections on the Pix but already maxed out your budget, you can just throw an
Intel 10/100
NIC in there. Power up and it grabs an
irq then off you go!!! You can probably add an Intel dual port server card, but I never tried it.
Cisco's tech support doesn't support this, since your supposed to buy a Cisco nic (which is probably intel anyway). I never had any problems with it though.