What pix to buy? 2

[porress]

what kind of pix shall i buy?

we have 10mbps dedicated internet connection.

we have 1 network with about 600 computers and all of the with access to the internet can you advice me on one model that can handle this trafic?

I would like to create a DMZ for our web server and probably exchange OWA in the future, because we use exchange 2003 at the moment.

And create a vpn for me to connect from home to the network so i can work from home.

Any ideas? thank you!

 

[pankajchawla]

I am working on PIX from last some of the time and this crappy firewall SUCKS big time. I dont even count it as a firewall.

One main reason is the ability to troubelshoot, it is a real pain in PIX caz of logging is really pathetic, if you need to troubelshoot through the traffic you may end up wasting a lot of time but gaining nothing out of it.

Checkpoint for sure is the best of all firewall and the logging is one of the best features it has.

I have worked watchguard before and honestly speaking PIX is no good at all when it comes to firewall.

 

[NetworkGhost]

I think it really depends on what you are most experienced with. I have worked on the Pix for almost 6 years. I can troubleshoot any problem usually pretty quickly, with that said the log tracker with checkpoint is really a quick way to say yay or nay whether traffic is flowing right or not.

 

[wirelesspeap]

I just passed my CCIE Security lab exam so I guess I have
some credibilities on this issue.

Bottom line is that Pix/FWSM just sucks. Given a complex
problem to troubleshoot, let say site-to-site VPN with double NAT inside the VPN tunnel, I will say with 95%
degree of confidence that I will be able to troubleshoot
and find the solution in let say, one tenth of the time
it takes compared to Cisco Pix.

Did you know that Cisco acquired Cisco Pix from another
company? It used to be Centri firewalls running on
Winblows platform. What a piece of crap.

 

[pankajchawla]

u r correct wireless. caz it is real pain working and truubelshooting on pix. checkpoint rocks always.

although cisco have tried their best woth pdm and asdm but they are no good at all.

PIX is products were familier with cmd line but now these days the picture is diffrent altogether. Chekpoint and netscreen are the market leader and no doubt are the best

 

[porress]

With 600 computers which cisco do i have to buy i just want to use with one DMZ for Exhange and to host our

http://www for

staff...

would a ASA5510 do? Because the badget i have got its no a lot and i heard from my provider that you have to buy SMARTNET that gives you upgrades for free, do i have to buy it?

 

[NetworkDOC]

For almost 8 years I have implemented Checkpoint, PIX, Watchguard, Raptor and Sonicwall. Of all of them I prefer the PIX. My clients love the fact that I configure the pix and it stays up for years at a time without having to reboot it.

Troubleshooting was a bit difficult at first understanding the debugs and which to use when. I like the fact that this is a modular approach (debugs) and frees up the resources when not needed.

The market I deal in are usually 5 users up to 500 + users. In this arena the pix is easily affordable. The checkpoint requires a hardware and then software licensing investment. It can handle simple networks to very complex networks with ease. Performance is rarely an issue as I check periodically in all of the environments and rarely see a problem.

One additional note. In the event of a hardware failure (speaking of average sized companies here) if you have to relace a pix, the config is a cut and paste event (or you can even tftp it over even quicker). Taking just minutes to do. Really sweet... In a box that rides on top of an os driven solution you have to replace the hardware rebuild the os then install the prod (or restore from backup) and then push the policy back out. Not done within 5-10 mins I bet....

Porress you should look at the 515E with at least a single dmz port, For a little extra $$$ you can get 3 additional ports to use for other DMZ's if you ever wanted them. You will also need the unrestricted license.

You DO NOT HAVE to buy smartnet. It is a way to get the free software updates, more importantly it is a hardware replacement and troubleshooting assistance team. Smartnet covers software updates (that you would need to get and manually put on) as well as if you have a problem or need assistance they give you help in doing so. Depending on which level of smartnet you get you can have hardware delivered and installed at your site in 4 hours. Not bad if you are under a crunch. Or you can get several steps in between. If you are not familiar with the product I would strongly reccomend it at least for the first year. Then you should ask your self how long can I afford to be without this? That should determine which level of smartnet you get.

 

[porress]

Thank you.

OK, but the problem with cisco 515E is that there are so many licenses are they are so dificult to understand. I just want a basic license that can cope with 600 pcs and 1200 users in a school. Probably 1 DMZ and that is it. Simple and cheap.

 

[Supergrrover]

If you go the way of Cisco - I would spring the little extra cash for the ASA5510 instead of the 515e. You get more out of the box - beefier hardware, 5 interfaces and the ability to add modules. Eventually the 515e will be dropped (no plans yet that I have heard about.) I have done this for a few clients and they have been very happy.



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[NetworkDOC]

You already got it with the 515e out of the box.....