|
Home > Archive > CCNP > November 2000 > PIX exam?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
|
| I know this doesn't fit into the CCNP exams, but i can't find any info. I thought maybe the people here could help.
Over the next few weeks, i will be able to work on a couple of Cisco PIX firewall appliances. I heard there was a beta exam over the summer called "PIX Firewall Fundamentals". Does anyone know anything about the live exam?
Under the CCNP security specialization, the PIX Firewall Advanced exam is listed, and it mentioned Advanced and Fundamental courses as prereqs. I figured that since I have to learn how to configure a PIX, I might as well take a shot at the exam also.
baldy | |
|
| hi there,
I think there is a book out ther with Cisco called "Managing Cisco Network Security (MCNS)" Saw the text book for it in Borders. But I am not too sure if it covers the PIX firewall though.
I have to ask you for a favour, I wanted the company I was working for to buy a PIX firewall. Can you tell me how much it costs to get, and is to hard to set up or how you got it setup?
thanks
| |
|
| thanks for the help. I also found some reference to it in the DCN book.
Try CDW.com for the PIX. select networking, then wan, then network firewalls.
A restricted PIX 515 is $4000
baldy | |
|
| akohli8745,
It just depends on the model of PIX you get. For example the 506 PIX is $2000. And higher models cost more. The 506 is the lowest version. What is the difference? How may connections they support, how many interfaces they have and how fast the interfaces are. The 506 is for a small business of approximately 500 users and only has 2 interfaces. Some higher models have multiple interfaces, are upgradable and because of the multiple interfaces can have multiple DMZs. It just depends on what you are looking for the PIX to do.
Setting up the PIX is fairly easy. If you are familiar with routers and access-list then it should be a breeze. The pix runs a type of the IOS. The way I have my PIX set up is I have my PIX providing my NAT. All I had to do to set it up was tell the PIX what range I wanted it to NAT, set the ip addresses on the interfaces, and tell what I wanted it to allow and disallow. The only difference with a router access list and the PIX is that the router, you want to put the restrictions first and then allow everything else. On a PIX you first want to restrict everything (outbound 1 deny ip any any eq 0 {this tells the pix to restrict any outbound tcp, udp, or ip traffic out any ports}). Then you want to set up the rules of want you want to allow. The PIX will see this as first denying everything, but then allowing only what you set the rules up to be. For example if you want to allow only http and pop3 traffic you would issue a command like this: outbound 1 permit any eq www
outbound 1 permit any eq 110
the oubound means this traffic is only good for outbound packets, not inbound, the #1 is the access-list number, permit any eq www means to any web traffic outbound. Ideally instead of "any" you would want to use your ip range. For example if your internal subnet is 192.168.1.0-255 you would substitute "any" for your subnet.
Exp: outbound 1 permit 192.168.1.0 0.0.0.0 eq www
I hope this helps and makes sense. The nice thing about ith PIX is that is comes with a manual telling you exactly how to set ip up. Also on Cisco's website it has all the info on it too. | |
|
| wow thanks guys i really appreciate all the help and the advice you have given me.
is the pix any better than the checkpoint? My company has already bought the checkpoint, but i want to get experience on the PIX, what do u thinK i should do?
thanks | |
|
| I have never used Checkpoint firewall, so I can't say. At Comdex, I talked to the product manager of the PIX and we talked about some avantages and disavantages of the PIX over other products. The only disadvantage of the PIX, I have found is that it doesn't like packets going out the firewall and then back in. For example if you have a web server inside the firewall, and you have a DNS server pointing to an external address, well if you want to get to that website in the firewall, you have to use the internal address to reach it, not the external, so you would need an internal DNS server. I was told that this issue would be fixed in the next software release.
I would learn both. I want to learn more about checkpoint, but don't have the resources now. Learn about both and you will be well off. Go to Cisco's website and read all the technical documents on it. | |
|
| Jamesbond_007,
Thanks for the additional info. I have been study the documentation from cisco's site for a few days now. Your extra information is very helpful.
akohli8745,
here is an article I found comparing the PIX and Checkpoint's FW-1.
http://www.roble.com/docs/fw1_or_pix.html
it seems to be biased towards the PIX, but is a useful comparison.
baldy | |
|
| quote:
Originally posted by Jamesbond_007:
For example if you have a web server inside the firewall, and you have a DNS server pointing to an external address, well if you want to get to that website in the firewall, you have to use the internal address to reach it, not the external, so you would need an internal DNS server.
There's actually a neat way around this and its been around since at least 5.0, which is when I first used this command.
To restate the problem, lets say you have a publicly accessible web server (www.example.com) on your internal network with the address 10.1.1.3. You have a static nat entry that converts the outside address to 10.1.1.3. Your DNS is hosted by your ISP, so www.example.com resolves the external IP address of the webserver. When internal clients try to go to www.example.com and use external DNS, they get the outside address of the webserver which is really just a NAT statement on the pix. You're clients can't reach the webserver.
The typical way of doing this is seperating your address space (internal and external) which is typically a good idea since your internal DNS server can cache records and save your clients some trouble.
BUT (and this was my whole reason for responding.....) you can use the "alias" command to have the PIX doctor the DNS replies from an external server. You basically alias the external address of www.example.com to 10.1.1.3. Now clients make a request to an external DNS server and the server responds with the outside address of your web server. Only this time the PIX intercepts the response, rips out the external address and inserts 10.1.1.3 in its stead. Your clients then open a session with 10.1.1.3 and all the world is right.
I have been faced with this problem a number of times when dealing with smaller clients. I did a little dance of joy when I figured out I could do this. Yippee.
MadChef | |
|
| Thanks for all your help guys.
I am going to master checkpoint before i master PIX.
baldy did you find out if there is a certification for cisco as specilization after CCNP. Does anyone recommend taking this subject on security? | |
|
| akohli8745,
www.cisco.com/go/ccnp follow the CCNP specialization link. Prior to Jan '01 the Specialization is 1 exam. the Managing Cisco Network Security (MCNS)book you mentioned to me earlier is the study material for it. After Jan, the specialization is going to be 4 exams. The MCNS is one of them, and the PIX Firewall Advanced as another. I never found any information on the PIX Firewall Fundamentals exam, only that the course is being offered by GlobalKnowledge in Austin, TX (doesn't help when you live in PA). I should be meeting with a Cisco Rep in the next week, so i'll ask him about it.
baldy |
|
|
|
|