Cisco PIX 506

Hello, I am thinking of purchasing a Pix 506, Will this be enough to get through the CCSP with? or will there be more hardware? I already have a large amount of routers and switches.

Find more posts tagged with

Comments

HHHTheGame

Don't bother. Get the ASA5505. It's only $600 and it runs v7 of the OS.

routingbyrumor

Thanks for the reply, I'll look into this ASA505 on Ebay.

Munck

With PIX 506, you're stuck with OS 6.x, so it can't be used for the CCSP

Ahriakin

If you can't stretch to the newer models you can still get some mileage from the 500 series. While some of the commands have changed, and 7.0 does add a fair bit extra, you can get to grips with translations, routing, access-lists, multiple zone theory etc. Many of the 7.0 command changes are to bring it more into IOS'ese so router experience can help bridge more of the gap.
I'm sitting the PIX exam this Friday so I'll let you know if my theory actually holds true (using a 515 with 6.3 at work and borrowed a 501 with the same for home study....).

dissolved

I personally do not like IOS 7 on pix. They should have left it the way it was. I know they are trying to make it easier for network admins, but it's making it harder on small businesses with 501s or 506e's that can't run the new IOS

Bad move IMHO

dissolved

HHHTheGame wrote:

Don't bother. Get the ASA5505. It's only $600 and it runs v7 of the OS.

I've never seen this before, link?

mikej412

Not listed as in stock at CDW yet.... "Call for availability"

The Security Plus Bundle will ship within 13 days if ordered today (for $1,159.99).

They do have a 5510 in stock.

dissolved

thanks Mike, good to know. I'll be checking ebay for this. And this runs the new IOS 7? I'll be forced to play with it since I'm taking the pix exam soon.

From my understanding, there is some 6.3 IOS on the test too right?

defx

PIX 506 can run pix 7.x an asa 7.x whit a ram upgrade, just open, put 32 or 64 dimm and practice

Ahriakin

Unsupported and apparently only possible by stripping out the GUI components.

defx

r0ckwell on December 20th, 2006 wrote:

Before proceeding, keep in mind that Cisco will no longer support your hardware or software after doing this, so don’t bother trying to get support for it. I’ve decided to share this knowledge to assist those who are less fortunate to have access to a 515 model or ASA. Considering we pay enough money for books, classes, and equipment, this will help tremendously with studying for the CCIE-Security exam.

I’ve collected information from various forums and have concluded that none of the methods explained really work. Maybe because people don’t really want to share the information or maybe it’s because they are worried that Cisco will find out.

FYI, I’ve condensed the ’show’ outputs to allow for easier reading.

Here is what I’ve done to get the code to run.

You can’t do the upgrade with only 32MB of RAM, you will need 64MB. Lucky for me I had 2 506E models to use. I took the RAM from one unit and placed in the slot of the PIX I wanted to upgrade.

When you run a ’show version’, you should see the following output:

pixfirewall(config)# sh ver

Cisco PIX Firewall Version 6.3(5)

Compiled on Thu 04-Aug-05 21:40 by morlee

pixfirewall up 5 mins 45 secs

Hardware: PIX-506E, 64 MB RAM, CPU Pentium II 300 MHz
Flash E28F640J3 @ 0×300, 8MB

Notice the 64MB of RAM. This is important if you want to continue.

Next, I downloaded the pdm-304.bin file from Cisco’s website and renamed it to fakepdm.bin.

I started up the TFTP server and ran ‘copy tftp flash:pdm’ on the PIX.

pixfirewall(config)# copy tftp flash:pdm
Address or name of remote host [0.0.0.0]? 192.168.1.35
Source file name [cdisk]? fakepdm.bin
copying tftp://192.168.1.35/fakepdm.bin to flash:pdm
[yes|no|again]? yes
Erasing current PDM file
Writing new PDM file
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!tftp: Timed out during transfer
Erasing partial PDM file
PDM file not installed.
pixfirewall(config)#

After this message appears “Erasing current PDM file”, unplug the ethernet cable from the PIX. As you can see by my output above, the writing new PDM portion times out. Then you will see that the PIX is ‘Erasing partial PDM file’ and ‘PDM file not installed’.

You’ve basically cleared enough space in flash memory to run any upgrade.

I’ve decided to upgrade to version 7.01 only. It’s your choice if you want to go higher. I’m only doing this to prove that it CAN be done.

Next, I ran the upgrade as normal by issuing ‘copy tftp flash:image’ and used the pix701.bin file.

pixfirewall(config)# copy tftp flash:image
Address or name of remote host [0.0.0.0]? 192.168.1.35
Source file name [cdisk]? pix701.bin
copying tftp://192.168.1.35/pix701.bin to flash:image
[yes|no|again]? yes
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Received 5124096 bytes
Erasing current image
Writing 5066808 bytes of image
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Image installed
pixfirewall(config)#

Once you reload the PIX, you will see several messages. Do not abort the reload/reboot sequence. It’s normal what you are about to see. The 7.x code is what’s causing the following output to appear that way. Just sit back and wait for the prompt.

pixfirewall(config)# reload
Proceed with reload? [confirm]

Rebooting..\uffff

Old file system detected. Attempting to save data in flash

Initializing flashfs…
flashfs[7]: Checking block 0…block number was (2423)
flashfs[7]: erasing block 0…done.
flashfs[7]: Checking block 1…block number was (24879)
flashfs[7]: erasing block 1…done.
flashfs[7]: Checking block 2…block number was (-16063)
flashfs[7]: erasing block 2…done.
…
flashfs[7]: erasing block 60…done.
flashfs[7]: Checking block 61…block number was (0)
flashfs[7]: erasing block 61…done.
flashfs[7]: 0 files, 1 directories
flashfs[7]: 0 orphaned files, 0 orphaned directories
flashfs[7]: Total bytes: 7870464
flashfs[7]: Bytes used: 1024
flashfs[7]: Bytes available: 7869440
flashfs[7]: flashfs fsck took 90 seconds.
flashfs[7]: Initialization complete.

Saving the datafile
!
Saving a copy of old datafile for downgrade
!
Saved the activation key from the flash image
Saved the default firewall mode (single) to flash
Saving image file as image.bin
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Upgrade process complete
Need to burn loader….
Erasing sector 0…[OK]
Burning sector 0…[OK]

Once the checking and erasing is complete, you will notice that your 506E is now running 7.0(1) code.

Cisco PIX Security Appliance Software Version 7.0(1)

I guess now after knowing this, the sales prices for the 506Es on eBay will start to come down.

johnwest43

Works great except for VLans are disabled.

Nobylspoon

Check Craigslist and Ebay for a 5505. I was planning on a 506E myself but I am really glad I decided to go with the ASA instead. I picked mine up for $250 with a 10 user base license. Came loaded up with v7.2 and 8.0 along with ASDM 6.3.

It is definatly worth the extra money to go for the ASA 5505. You might not be able to find it quite as cheap as I did but keep shopping and you can probably pick it up in the low $300 range for sure. However, if you need more than a 10 user license then you will be paying more. I am using mine for my home network and I never have more than 10 devices connecting to the outside interface at one time.

johnwest43

7.0.5 allows vlans.

Bl8ckr0uter

johnwest43 wrote: »

7.0.5 allows vlans.

Can the PIX 506 support 7? I thought that was only for ASAs. I thought the Pix 501 and 506 only support 6.3 or something.

tiersten

knwminus wrote: »

Can the PIX 506 support 7? I thought that was only for ASAs. I thought the Pix 501 and 506 only support 6.3 or something.

v7 is supported for the larger PIX boxes and all ASAs.

The very early versions of v7 could be wedged into a PIX506E (The old 506 won't do it) by following the procedure to erase PDM so you have enough space on the flash to store the image.

Later versions of v7 won't work on a PIX506E because they're larger than the available space and they added or removed something which causes it to abort.

johnwest43

7.05 is the newest you can wedge onto a 506e.

Bl8ckr0uter

I'm going to snag this PIX 506E from work to help me better understand the PIX OS. I am migrating the business off of a PIX 515 to an SonicWall NSA 3500 in a few weeks and I need to have a complete understanding of what the PIX config has in it so I can migrate everything successfully and quickly.

zen master

Hey guys, I'm thinking of ordering the following "CISCO ASA5505-BUN-K9 10000 Simultaneous Sessions Firewall throughput: Up to 150 Mbps 3DES/AES VPN throughput: Up to 100 Mbps Cisco ASA 5505 10-User Bundle". Will this be adequate for the CCSP? Any input would be greatly appreciated.

tiersten

zen master wrote: »

Hey guys, I'm thinking of ordering the following "CISCO ASA5505-BUN-K9 10000 Simultaneous Sessions Firewall throughput: Up to 150 Mbps 3DES/AES VPN throughput: Up to 100 Mbps Cisco ASA 5505 10-User Bundle". Will this be adequate for the CCSP? Any input would be greatly appreciated.

The base license ASA5505 can't handle failover and won't do trunking. The Security Plus licensed ASA5505 is only capable of doing active/standby failover. It only takes SSCs as well so if you want to put in a module then you'll have to deal with those instead of SSMs.

In short, you'll be able to do most of what you need but there are limitations like the failover support.

QHalo

Also I'm pretty sure that SNAF has security contexts on it as well. A 5505 will not have them no matter what license you buy for it. You have to upgrade to a 5510 with a Sec plus license to get those.

tiersten

QHalo wrote: »

Also I'm pretty sure that SNAF has security contexts on it as well. A 5505 will not have them no matter what license you buy for it. You have to upgrade to a 5510 with a Sec plus license to get those.

Good point.

QHalo

I've been looking over ASA's for a jump into CCSP after I'm done with CCNA Sec. It's looking like rack rental is the best choice to ensure you don't have equipment capability concerns. There's also the ASA Project which has a working VMware image of an ASA. You could look into that as well. I was planning on buying a 5505 to manage my home network and as something I could consistently use to get experience with them, supplemented with rack rentals. 5510's are just not cost justified for me. I've found a few with Sec Plus licenses on eBay around $1800-2600 but you need two for full capabilities and that's just an asinine amount of cash.

zen master

QHalo wrote: »

Also I'm pretty sure that SNAF has security contexts on it as well. A 5505 will not have them no matter what license you buy for it. You have to upgrade to a 5510 with a Sec plus license to get those.

How critical is this? Can I learn the concepts using a simulator, or just using the book?

Thanks for all the assistance guys, it's greatly appreciated. One last question, will the CISCO ASA5505-BUN-K9 help me to complete my CCNA: Security as well?

QHalo

I'm not sure how in depth the SNAF exam goes into them so I can't really speak much more intelligently on the subject. I did find this on the CLN. Perhaps this could shed some light for you. You'll obviously need an account to access but it's free to register and worth the price of admission. Tons of good info on there.

https://learningnetwork.cisco.com/docs/DOC-3392

peanutnoggin

zen master wrote: »

One last question, will the CISCO ASA5505-BUN-K9 help me to complete my CCNA: Security as well?

The CCNA: Security doesn't include anything on ASA firewalls. The CCNA will introduce you to Zone Based Firewalls. HTH.

-Peanut

EDIT: Maybe I shouldn't say anything... I believe the ASAs are mentioned in the CCNA: Security book, but you are not shown any configurations of the ASA Firewalls in your CCNA:Security studies... At least using the Authorized Self-Study Guide