i got a CISCO 2600 Router/Firewall/VPN/etc. for *FREE* ...
anyone here know how to set up this thing? i'm sure i could figure it out myself, but if we have someone here who has worked with that box before, that would save me a whole bunch of headaches ...
Andy
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_mod/cis2600/index.htm
Last time I checked.. the 2600 was a ROUTER not a firewall. You can build a access control list.. but I dont think that will help.
B << Cisco certified back in the day.. havent logged into one for over 3 years at this point.
Andy,
I was sent a PM with a software solution. Let me get it to you for review.
Come to think of it.... I used 2600's for years. They worked good for point to point T1's and for business' with 2-3 thousand users hitting IIS websites. We always combined it with a Cisco PIX firewall.
B
i know it's a router, but the docs say it has VPN and Firewall build in ...
is that not true?
Andy
Any router is just a computer with dedicated hardware to help with networking. A firewall is just software. New software + old router = firewall/vpn/router. The 2600 series is pretty venerable, but I doubt our bandwidth usage is enough to justify anything more.
No, I have no idea how to set up the firewall stuff...
They work VERY well!! Thanks to whomever "gave it to us"
Andy,
Cisco sells "Feature packs" that unlock different configs in the router. They ship it locked down with only what you pay for..then send you different "keys" to unlock the different features without selling you a whole new solution.
Hang on..I'll call
B
OK. I have two "high end" feature packs that I never pulled the plastic off of until now. I'm reading through them to see exactly what options they were purchased with.
Andy,
I cant find the PM that had a awesome suggestion for a software based firewall. It was a AZ guy out of the Flagstaff area.. I ALWAYS forget his name.. he has a son into the 914's also "Mike"
B
These are all the feature sets available for the 2600 series routers:
ENTERPRISE BASIC
ENTERPRISE PLUS
ENTERPRISE PLUS IPSEC 3DES
ENTERPRISE PLUS IPSEC 56
ENTERPRISE PLUS/H323 MCM
ENTERPRISE/FW/IDS PLUS IPSEC 3DES
ENTERPRISE/FW/IDS PLUS IPSEC 56
ENTERPRISE/SNASW PLUS
ENTERPRISE/SNASW PLUS IPSEC 3DES
ENTERPRISE/SNASW PLUS IPSEC 56
IP
IP PLUS
IP PLUS BASIC W/O HD ANALOG/AIM ATM/VOICE
IP PLUS BASIC W/O SWITCHING
IP PLUS IPSEC 3DES
IP PLUS IPSEC 56
IP/FW/IDS
IP/FW/IDS PLUS IPSEC 3DES
IP/FW/IDS PLUS IPSEC 3DES BASIC
IP/FW/IDS PLUS IPSEC 56
IP/H323
IP/H323 PLUS BASIC
IP/IPX/APPLETALK
IP/IPX/AT/DEC
IP/IPX/AT/DEC PLUS
IP/IPX/AT/DEC/FW/IDS PLUS
IP/IPX/AT/FW/IDS PLUS BASIC
REMOTE ACCESS SERVER
TELCO FEATURE SET
The minimum feature set that you'll be looking for is IP/FW/IDS
alright, it's got 2 x "T1 DSU/CSU" ports, 2 x "10/100 Ethernet Ports", 1 x "Console Port", 1 x "AUX Port" ...
version number is "2621" ...
any easy way to find out what features it has loaded ???
Andy
Aight: This is a braindump.
Using a 2600 as a firewall might do it. There are some features like reflexive acls and layer 7 filtering stuff that can provide a lot of protection.
It might also be advisable to download a vulnerability scanning tool like nessus and make sure it doesn't dig anything up. (it will - you need to patch and fix until it doesn't)
I have a much better idea how to lock down a linux machine than windows - personally I'd probably put a linux proxying filter in front of a windows machine rather than exposing windows directly to the net. I'd also add a hardware device probably.
On my home network I use a Fortinet device which not only does firewalling but also incorporates intrusion detection and prevention, and vpn. We have some corporate contacts at fortinet, so I'm asking around to see if I can scavange up a box for the site. I'll let you know if I come up with anything.
Main thing is to make sure all unnecesary services are not accessible to the net.
I just scanned the server and there is way too much open...
I'm not going to talk anymore here because I'm just giving information away to the bad guys as well as the admins.
Hook the 2600 up to a serial port (via the console line) and use hyperterminal to talk to it (9600/8/n/1)
then do show version.
you could hook it up to the network and telnet into it and get the same results.
You can bring it over here if you like (maybe wait til 5) and we could look at it.
Run it over to Fiid
He probably has the correct cable you need also.
B
I cant tell from your post what it has in it.
Typically they would have one T-1 card and one Ethernet card. The cards are probably cheap right now, but they were not at one point in time.
Just curious.
B
it's got TWO ethernet ports and TWO T1 ports ...
Andy
that will make it easier to isolate traffic. two ehternet ports...
Two t1 ports is for redundancy.
damm fiid, i don't even have to drive, i can just walk over to your place!
Andy
Got certified in it but never touched one since. Couldn't remember to save my life
Which building are you in then?
Both of you could walk to my house...
fiid, I think you're in the same building my wife works in...
Andy...
a 2621 is similar to a 2651 which i have. The "feature set" will depend on what IOS you have loaded on it. The 2621 will handle some decent ones, but is limited by the onboard flash memory capacity. We have an account w/ cisco, so i can get you whatever IOS version you want. Just bear in mind that you are limited by the capacity. You can certainly use a router for a firewall with a good acl, but it wont be as good. Thats general speak though. "Should" be more than adequate for this site. And it will more than handle the bandwidth for this site. Not sure what else you have on your rack, but you might be able to put this out in front of alot more than just the club server.
So I take it you don't need the Nokia??
I forgot to add...
Take out those T1 wic cards and sell them on ebay. And buy some block off plates to cover the slots. hell, i might be able to dig up a couple to send you. Lot's of places buy wic cards on the bay. We do in a pinch sometimes. And we're about ready to unload about 300 isdn wics on there soon.
Anywho, they are not needed by you. All you need are the two onboard ehternet, and the console port. If you don't have a console cable, you can get one pretty easily.
I know this was asked long ago, but why is the club still maintaining it's own hardware. What a pain that must be...
The storage/cpu/bandwidth requirements for this site can not be that great. Why don't you (via club funds/donations) just pay a couple hundred dollars a month on a great server that will never go down and is very secure?
No affiliation, but just for reference:
http://www.rackspace.com/
http://www.serverbeach.com/
The value that admins bring is content and community, not installing and maintaining hardware. That's my $0.02.
-Steve
why don't you just throw a PC in front running IPcop?
http://www.ipcop.org/
I can get you IOS for the 2600 if you want it, but I think there are better solutions.
Awesome THE FIREWALL IS WORKING MOSTLY..
M
Andy,
I am a CISSP, CCNP, CCDP, and MCSE. Live in San Fran.
Going out of town this weekend, but could work on it next week in the evening.
Not sure what your existing setup is, but for IOS on a 2600 with the FW feature set you need at least 16MB flash and 32MB RAM in it (probably bare minimum). I'll admit that I didn't look those numbers up, but installing an IOS image with FW Feature set does require some more "meat".
To be honest, I have only run a Cisco router as a FW once as companies I have worked for buy PIX's (all flavors), ISS M Series or Checkpoint boxes. A used PIX 506E would be around $800 and a used PIX 501 a little less. However, the PIX doesn't support WAN interfaces so you would need a separate router for that (assuming you have some router right now or I wouldn't be typing.)
PM me and I'll try to get back to you tomorrow before my flight.
OK...so 32MB RAM and 8MB of Flash. I have a "dead" router at work that you could have the RAM (additional 32MB). Unfortunately, the flash is bad in the dead router I have.
The image on that router you have is an "IP Load" (the "i" in the image name) verse an "Enterpise Load" ("js" in the name) and doesn't have the FW image on it from what I can tell. Enterprise load handles IP/DLSW/IPX.
Easy way to test is:
From router> prompt type "en"
Next at the router# type "config t"
Next at the "router#(config) prompt type "int faste0/0"
At the "router#(config-if) prompt type "?"
Send me the output from the "?" command. Looking to see if it has a command named "inside" or "outside". If not, no FW Image.
So...you need a larger flash memory I believe and an IOS image with the FW Feature set (which I am sure someone can acquire). Flash really should be 32MB for a modern image and 64MB of RAM.
Bottom line is now you are in to spending money for a non-stateful firewall setup.
Options:
One would be to set the router up anyways as-is and implement ACL's and some NULL interface routing for unused address space (if any).
Two would be sell the RAM, T1 WIC's, and router separate or as a whole and buy a used PIX506/501. A PIX 501 has:
The PIX 501 includes an integrated 4-port Fast Ethernet (10/100) switch and a Fast Ethernet (10/100) interface. Ideal for securing high-speed broadband environments, the Cisco PIX 501 delivers up to 60 Mbps of firewall throughput, 3 Mbps of Triple Data Encryption Standard (3DES) VPN throughput, and 4.5 Mbps of Advanced Encryption Standard-128 (AES) VPN throughput.
I googled for a PIX 501 used and came up with a cost of $475. I'll get you any updated 501 images for the OS.
Too bad this didn't come up 3 months ago when I still worked at Cisco! I might still be able to buy stuff discounted thru my buddies who are still employees. Hell, we had a bunch of the GSR12000 series kicking around which are still more horsepower than most service providers can keep busy.
Let me know and I can call in a few favors.. never used my employee discount and most of my ex-coworkers haven't either.
Brian
We should definitely get something like the PIX 501 or similar easy to configure and maintain firewall appliance. I see that the PIX are selling on ebay for around $200. I've had good luck with Zywall at the office. Sonicwalls can also be had on ebay for cheap. I'm sure the members here would pitch in with the costs. Or maybe someone has a used Zywall, PIX, or Sonicwall sitting on a shelf going unused.
pull back that firewall and check for rust at the base of the VPN.
water gets into the ports and the corrosion starts pretty quick...
Not off topic. You can find some basement price CISCO system deals here:
It's a 365 days a year auction of used government property. Some is junk and other stuff is real treasure.
http://www.govliquidation.com/
Look under CPU.
Powered by Invision Power Board (http://www.invisionboard.com)
© Invision Power Services (http://www.invisionpower.com)