Pix vs 2611xm w/ firewall (CBAC)

Im sure there are a million answers to this but i am going to ask it anyway. For a home setup can the 2611xm with firewall feature compare to using a pix 501? At the moment I dont have to permit any traffic from out to in. I also have an easy vpn setup on the pix to connect from remote locations using the cisco vpn client and ddns running behind the firewall so i can connect. I have the 1 ip dynamic plan. Also can the 2611xm do the ddns for me?

Thanks guys

My current setup:Internet---> ATT DSL Modem--->Pix501---->LAN
Purposed setup: Internet--->2611xm (with WIC-1adsl)

>LAN

Find more posts tagged with

Comments

Forsaken_GA

It'll work, just be aware that the processor in the 2611xm is kind of weak, and if you make it perform firewall and NAT duties, depending on how much traffic you put through it, it may go wonky sometimes

tiersten

You know the WIC-1ADSL only supports 8Mbps ADSL1 right? The ADSL2 WIC is the HWIC-1ADSL and that doesn't work in a 2600XM as it doesn't support HWICs.

The PIX-501 is rated for 60Mbps cleartext and under 6Mbps if you're using crypto. DES is 6Mbps, 3DES is 3Mbps, AES-128 is 4.5Mbps and AES-256 is 3.4Mbps.
The 2611XM is rated for 10Mbps which is with nothing enabled like the firewall and with 64 byte packets. I wouldn't attempt to use crypto on it unless you have a VPN AIM and even then you're unlikely to get very good performance.

johnwest43

I am aware that it only supports up to 8Mb. ATT only offers 6Mb to our neighboorhood. I currently have the 3Mb plan. So throughput wont be too bad for the 2611xm.

tiersten

johnwest43 wrote: »

I am aware that it only supports up to 8Mb. ATT only offers 6Mb to our neighboorhood. I currently have the 3Mb plan.

Ah okay. Just checking

johnwest43 wrote: »

So throughput wont be too bad for the 2611xm.

The rated forwarding performance is with nothing enabled. My old 1841 with everything enabled could only do 3-4Mbps but that was with IPS as well which is really CPU intensive.

A very rough rule of thumb is that you halve the rated performance for each feature you enable. Firewall would be one and NAT would be another etc... The 1841 is rated for 38Mbps with nothing enabled according to the performance datasheet but Cisco only rate it as suitable for handling a single T1/E1 with features.

You'll get better performance with what you've currently got IMO.

mgeorge

A 2611XM with NAT and IOS firewall would limit you down to around 3Mbps regardless due to performance of the platform. If you were to ever upgrade to 6Mbps then you'd have to disable IOS firewall.

In all actuality it would probably be best if you got a Pix 506E and upgraded it to 64mb ram and ran 7.1(2) on it (the latest image for 8mb flash/64mb ram) then you can use the pix as a transparent firewall and keep the router doing what it does best, routing.

-Matt George

johnwest43

mgeorge wrote: »

In all actuality it would probably be best if you got a Pix 506E and upgraded it to 64mb ram and ran 7.1(2) on it (the latest image for 8mb flash/64mb ram) then you can use the pix as a transparent firewall and keep the router doing what it does best, routing.

It just so happens that i have a 506e w/ 64MB RAM and 7.0.5 (largest you can shoe horn in and still have VLANS).

So how about this setup: Internet--->2611xm--->pix506e--->LAN

As far as transparent mode i have never tried that feature. What would you reccommend for vpn? I assume that the pix cant be setup in transpaert mode and a act as a easy vpn server.

Thanks again for all the input.

Side note , would a 2620xm's performance be better then the 2611xm? I know it supports more kpps but is it a big enough difference?

Forsaken_GA

mgeorge wrote: »

A 2611XM with NAT and IOS firewall would limit you down to around 3Mbps regardless due to performance of the platform. If you were to ever upgrade to 6Mbps then you'd have to disable IOS firewall.

-Matt George

Not entirely true. I used to run a 2611XM as my ISP border device, and I was able to put 6 megs through it with the Firewall, NAT and NBAR all running. Anything more than that and the CPU spiked and I could no longer get SNMP off of it

hypnotoad

johnwest43 wrote: »

Side note , would a 2620xm's performance be better then the 2611xm? I know it supports more kpps but is it a big enough difference?

I think the 2620xm only has 1 FE compared to the 2611xm's two. Something to consider (in case you didnt know -- buying this stuff can be tricky, as many people have found out the hard way.)

johnwest43

+1 on the tricky side. I already have the 2620xm. I bought it last december for my CCNA lab. I think i am going to try using just the 2611xm for the dsl connection and firewall for now and try to monitor its performance with prtg and see what i come up with.

johnwest43

OK I tried it and the performance sucks!! Download speed was on par but latency while web browsing was horrible!!

Next Security question for you guys.

I currently have the 2611xm in bridging mode with ATM0/1 and fa0/1 bridged. Next in line connected to fa0/1 is a pix 515e doing all the pppoe and ppp negotiations. FA0/0 on the 2611xm is connected to the inside network and running CME. I assume that this is still secure because the other 2 ports are in bridged mode with no ip address therefore the outside world still has to pass through the pix to gain access to the inside network. Does this sound correct? I tried to illustrate the topo below.

Thanks

diagram.jpg

johnwest43

Anybody have any thoughts?

semangka

johnwest43 wrote: »

OK I tried it and the performance sucks!! Download speed was on par but latency while web browsing was horrible!!
Thanks

Im running a 2611XM for home usuage with CBAC and had some performance problems initially too.

Some tips
* MTU size on your dialer 1492?
* tcp mss adjust - just in case

But the biggest issue was that CBAC was dropping out of order tcp segments which can be fixed with;

* ip inspect name GNS fragment maximum 64 timeout 60 (might need IOS upgrade for that)

Fine since

johnwest43

Tried them all... no luck I am also using the router as a CME Router as well. The Routers Lag wasnt bad until i turned on telephony-services.

Anyone else have any insight on the security issue i posted above about the bridge on the 2611xm?