So.. I have a question. Is anyone trying to put a Cisco Pix firewall in place with the tunnel??
If so, I'd like to know the headaches if there are any. I have been reading that I think versions below 7 don't work. I saw Cisco offers a free 3des upgrade. Just wanted to know what people are doing.
Not to mention, Is there IPv6 support and if so, I guess this unit would be placed behind the router or can the unit be installed behind a modem and perform all NAT functions and PPPoe /DHCP in stead of the modem.
Also, If anyone is using a cable modem setup, which cable modem are you using and is it flexible in regards to setup.
Thanks
Yes the PIX and ASA both support IPv6 in firmware version 7.0 and later. Version 6.x is IPv4 only though. Check out this post (http://www.tunnelbroker.net/forums/index.php?topic=278.msg6323#msg6323).
Under firmware version 7.x and later the PIX and the ASA are basically the same from a configuration and feature perspective. The ASA is just faster and supports AnyConnect SSL VPN (and a few other things added in the ASA only 8.2, 8.3, and 8.4 code versions that you probably won't need). The ASA's ASDM GUI interface is much better than the PIX's PDM GUI but on the CLI they are 99% the same. If you are used to IOS routers then learning PIX/ASA 7.x or later isn't much of a change. (6.x is another matter, its a bit different)
If you are using an ASA as your edge device it can be made to forward protocol 41 to a router somewhere behind it in firmware version 8.3 and later just like you forward a TCP or UDP port. This would let you place the ASA in front of your tunnel device but it would also prevent the ASA from filtering your incoming IPv6 traffic. However a PIX cannot forward protocol 41 without a dedicated NAT translation. So if you wanted to use a PIX as your edge device you would need a second IP from your ISP for the tunnel to HE.net. If you want to use a PIX/ASA to filter your IPv6 traffic you will need to terminate the 6in4 tunnel on a router in front of the firewall.
According to this (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080ab7ce9.shtml) it looks like both the PIX and ASA support PPPoE in 7.2(1) and later.
I use a Motorola Surfboard SB5101 cable modem. All I had to do to set it up was call my ISP and read the MAC address on the bottom of the modem to them over the phone and plug it in. My cable ISP uses straight DHCP and the modem is a dumb bridge device for all practical purposes, no PPPoE or other funny configuration needed on my edge router.
Nice to know. I am going to pull the unit out of the storage box. Hopefully, I can use it.
Seeing you are using basically the same setup, is you bandwidth consistent?? I'm seeing differences during the day as to bandwidth. bought a 12 meg connection and I see lows around 5 and highs around 22..
No issues re tunnel, but, I do have a few routing issues of my own. I seem to not be able to route from the sub interfaces below my top level router. I have to manually go in and establish static routes in order for the data to get out. Kinda sucks. I thought that what routing protocols did..
Quote
(and a few other things added in the ASA only 8.2, 8.3, and 8.4 code versions that you probably won't need)
Is 8.4 out?
UltraZero,
I think you said in another thread you were using a Cisco 3640? If you have a recent IOS build (12.4, 12.4T, or 15.0) of the proper feature set (need at least IP/FW), the firewall within the IOS works well. Context-based access control (CBAC) is fully functional for IPv6. I'm using it on my 2811 for IPv6 and IPv4.
You can also use the Intrusion Prevention System (IPS) if you want, although I'm not sure how many signatures inspect IPv6 packets under 12.4 and earlier.
Hmm. Maybe I will have to do a router swap. I don't think I have 12.4 on this unit. Maybe another one.
I'll have to check the version of he Pix as well.
I guess in worse case, I can use the pix to deal with IPv4 traffic and then use the firewall features of the router if I have a higher version to handle the IPv6 stuff. I guess standard ipv6 access lists will have to do for now.
BTW, are we talking basically the same kind of items to block on IPv6 just like IPv4?? I guess I'll have to look to see what port are what???
Hmm. IPS or IDS. I think the IPSs are expensive..... Brrrrrrr..
Last I looked.
IDS (Intrusion Detection System) was replaced with IPS (Intrusion Prevention System) in the 12.4 IOS train. By the way, Cisco does have separate devices that can run IPS, but I'm talking about running the IPS in the IOS software on a routing platform. It obviously cannot handle as much traffic as a dedicated IPS device, but it does work.
CBAC works very well as a firewall for both IPv4 and IPv6 and doesn't require any other hardware. CBAC for IPv4 is in the IOS as early as 12.1, I think, and for IPv6 in 12.4.
CBAC is also quite easy to configure and kind of crosses-over into IDS/IPS territory by doing some stateful protocol inspection.
I can post an example config that uses CBAC for IPv4 and IPv6 if you want.
Quote from: UltraZero on February 23, 2011, 04:05:33 AM
Seeing you are using basically the same setup, is you bandwidth consistent?? I'm seeing differences during the day as to bandwidth. bought a 12 meg connection and I see lows around 5 and highs around 22..
No issues re tunnel, but, I do have a few routing issues of my own. I seem to not be able to route from the sub interfaces below my top level router. I have to manually go in and establish static routes in order for the data to get out. Kinda sucks. I thought that what routing protocols did..
My bandwidth is pretty consistent but that sort of thing is very ISP dependent. Unlike DSL which uses a dedicated circuit, bandwidth on a DOCSIS system is shared between hosts on either the same cable node or the same headend depending on how your ISP's DOCSIS network is structured. So when you see reduced speeds its probably because too many other people in your neighborhood are watching Netflix or whatever.
IOS routers can use RIPv6, EIGRP, OSPFv3, and BGP to dynamically exchange IPv6 routing information. IPv6 support for different routing protocols was added in different IOS releases so if you need a specific one you might want to check the IOS feature navigator on Cisco's web site. However the PIX/ASA cannot run a dynamic routing protocol in IPv6, they can only use static routes.
According to this post (http://www.tunnelbroker.net/forums/index.php?topic=278.msg1132#msg1132) you should be able to run an IPv6 capable 12.4 image with the firewall feature set on your 3640 if your router has enough RAM and you can get your hands on the firmware image itself. Also, while you certainly can use an IOS router to filter IPv6 traffic even a PIX will outperform all but the newest and fastest routers when doing stateful firewall work.
Higher layer protocols like TCP, UDP, SSH, and HTTP are the same in IPv6 as they were in IPv4 so generally you will be filtering the same things for the same reasons. The only thing that is really different is ICMP, which should not be filtered at all in IPv6 in my opinion.
Quote from: cholzhauer on February 23, 2011, 05:04:48 AM
Is 8.4 out?
Yep. (http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html)
Yeah, I just went and downloaded 8.4. The release notes don't mention any new features...have you come across any?
They added support for EtherChannel on the 5510 and up and failover support for dynamic routing protocols in IPv4. There is a list of highlights here (http://www.networkstraining.com/new-cisco-asa-version-8-4-introduced/). Nothing really worth getting excited about if your not using failover and a routing protocol together.
I haven't installed 8.4 yet as it doesn't look like it adds any new IPv6 toys over 8.3.
Are they eventually going to EOL the PIX line in favor of the ASAs?
Cisco EOL the product I think back in 2008. I just read the IOS not being sold any more. (Sucks because I just)
pulled my unit out of the box and fired it up. Cough Cough. Looks like she needs an upgrade.
I guess I might consider selling it since I can't upgrade the unit. Does anyone know if the upgrade of the IOS is based on feature sets or is it based on the License...
Meaning, can I upgrade the IOS legally to get the next versions, but, not get the Non licensed features that I don't have? I want to keep this thing lagit..
Quote from: jimb on February 23, 2011, 03:40:22 PM
Are they eventually going to EOL the PIX line in favor of the ASAs?
Yeah, they're long gone.
note that PIX nor ASA run IOS
sorry. Use to putting IOS for Cisco.
Quote from: cholzhauer on February 23, 2011, 07:01:58 PM
Quote from: jimb on February 23, 2011, 03:40:22 PM
Are they eventually going to EOL the PIX line in favor of the ASAs?
Yeah, they're long gone.
note that PIX nor ASA run IOS
Ah. I sort of remembered them EOLing them a long time ago too, but it sounded like you were talking about recent PIXOS upgrades, which I didn't think they were doing anymore.
Ohh, gotcha. They're still releasing code for the ASA's, but it's not compatible with a PIX and the PIX OS won't work on an ASA
Oh my bad. You were talking about both PIXes and ASAs. I didn't read carefully enough to see the upgrades were for the ASAs, not PIXes.
Yeah. I was on the Cisco website and they offer a free upgrade for the IPsec,but, not for the
Operating system.
6.33 is where she is and I understand IPv6 is only supported under 7.x and above. 8.04 i think is the highest version so I read on the net.
ASAs are so expensive though. I have always tended to purchase something way overkill for my network so I was looking at a 5510. That's a couple grand that I don't have.
It's not like I have tactical information I need to be securing. AT least not yet... ::) ::) ::)
Does anyone out there use a Pix with the PDM software?? IF so, what version of PDM are you using.
Thanks
I think we discussed this elsewhere...the 5505 would be overkill for your network, and that's under $500
If this is just a home network, a BSD or linux box would work fine for you. If this is business, hrm, maybe juniper? The SRX firewalls seem to be pretty good and support IPv6.
Well, I've been thinking of putting up a Cisco Online lab. Just a thought.
Besides, Why use a bicycle to go to corner store when you can drive a Lamborghini there, pass it, jump on the highway for a mile or 2, get her up to speed (Just the speed limit because you know the sheer nature of a lamborghini says give me a ticket) and be back at the store before you would have on that old darn bicycle.. LOL.... ;D ;D ;D
All joking aside. I figured since I had this big box, I would put her online. but, unless I do some thing Illegal, which I don't think I want to go that route, Maybe I'll put her on ebay and buy a 5505 and put it in a rack mount chassis so it at least looks big and powerful... Slap a Lamborghini sticker on the front..
Now thats funny right there..
LOL