PIX Firewalls

NightShade03

Although they aren't mentioned on the blueprint for the CCIE Security how relevant to you think that PIX is to the exam? I know that ASA has mostly taken its place today but don't people still use them in the real world (isn't it a good practice to have an understanding of legacy systems and how they work)?

dynamik

I think there's usually a discrepancy between what's necessary for a cert and what's necessary in the real-world

Turgon

NightShade03 wrote: »

Although they aren't mentioned on the blueprint for the CCIE Security how relevant to you think that PIX is to the exam? I know that ASA has mostly taken its place today but don't people still use them in the real world (isn't it a good practice to have an understanding of legacy systems and how they work)?

I will be dipping my feet back into the PIX world soon enough. Not for the lab but for work. PIX isn't very difficult to use but like anything else you need to put some time in. Should PIX surface in my work I will be expected to be an ace with it About 6 years ago I ran into one and problems with an interconnection between a hosted environment and a customer. My firewall experience was checkpoint and although fresh to PIX I managed to configure it by command line. Things didn't work out and in a call with the admin at the other side he was put off by my not using PDM to configure and assumed I didn't know what I was doing. He was right in one sense. After numerous complaints the connection magically worked a couple of days of whining later. I guess he forgot to configure something his side

SysAdmin4066

Real world for sure. I've worked with a few ASAs but mostly it's been PIX. And PIX and ASA syntax is different enough to warrant some confusion on certain commands. I would definitely learn PIX as well as ASA.

apd123

SysAdmin4066 wrote: »

Real world for sure. I've worked with a few ASAs but mostly it's been PIX. And PIX and ASA syntax is different enough to warrant some confusion on certain commands. I would definitely learn PIX as well as ASA.

This is really only true of legacy PIX OS. I just did a cutover from a PIX pair running 8.0 to an ASA pair running 8.2 and other than changing half a dozen lines like ethernet 0 to ethernet 0/0 the config pasted right in.

tiersten

I think it would still be useful. There are plenty of old PIX boxes lurking in businesses everywhere. If you can configure the latest/greatest ASA then you shouldn't have too much trouble in working out the differences between 8.x and older releases.

If you're looking to buy a Cisco firewall for lab usage then something like the PIX 515e or PIX 525 would probably be better than a new ASA. The ASAs only run PIX OS 7.x and above. If you want anything older then you need a PIX and of those, the larger/newer models like the 515e and 525 will also run the latest PIX OS 8.x.

PEMU will run PIX OS but there are/were some issues regarding transparent mode and a few other things the last time I checked.

CCIE-4-HIRE

PIX is cheaper than ASA and 90% of everything is mostly the same. The ASA is more IOS-like. There are differences like nat-control default bahavior, inspection rules, and even some minor vpn stuff, and well lots of things, but the core items are mostly the same. ACLs, Policy Nat, Security Levels, etc. The same. You can't go wrong with learning version 6.3.5 or better yet 7.x.x

Ahriakin

A PIX running 7.2 +, or 8.0x will get you 95% or so of what you can do with an ASA for lab purposes.
Having some knowledge of 6.x is handy for migrations but you will rarely see it in production.