Printable Version of Topic

Posted by: SirAndy Apr 19 2006, 04:01 PM

i got a CISCO 2600 Router/Firewall/VPN/etc. for *FREE* ...

anyone here know how to set up this thing? i'm sure i could figure it out myself, but if we have someone here who has worked with that box before, that would save me a whole bunch of headaches ...

Andy

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_mod/cis2600/index.htm

Posted by: r_towle Apr 19 2006, 04:03 PM

dude, I Pm'd you the guys name...

Rich

Posted by: Brad Roberts Apr 19 2006, 04:08 PM

Last time I checked.. the 2600 was a ROUTER not a firewall. You can build a access control list.. but I dont think that will help.

B << Cisco certified back in the day.. havent logged into one for over 3 years at this point.

Andy,

I was sent a PM with a software solution. Let me get it to you for review.

Come to think of it.... I used 2600's for years. They worked good for point to point T1's and for business' with 2-3 thousand users hitting IIS websites. We always combined it with a Cisco PIX firewall.


B

Posted by: SirAndy Apr 19 2006, 04:12 PM

i know it's a router, but the docs say it has VPN and Firewall build in ...

is that not true?
Andy

Posted by: rdauenhauer Apr 19 2006, 04:14 PM

Brad you beat me to the punch. Ive got a gross of the things I need to off due to upgrades necessary for VOIP telephony.

Posted by: lapuwali Apr 19 2006, 04:15 PM

Any router is just a computer with dedicated hardware to help with networking. A firewall is just software. New software + old router = firewall/vpn/router. The 2600 series is pretty venerable, but I doubt our bandwidth usage is enough to justify anything more.

No, I have no idea how to set up the firewall stuff...

Posted by: SirAndy Apr 19 2006, 04:17 PM

i guess that's why it was free ...

Andy

Posted by: Brad Roberts Apr 19 2006, 04:23 PM

They work VERY well!! Thanks to whomever "gave it to us"

Andy,

Cisco sells "Feature packs" that unlock different configs in the router. They ship it locked down with only what you pay for..then send you different "keys" to unlock the different features without selling you a whole new solution.

Hang on..I'll call


B

Posted by: Brad Roberts Apr 19 2006, 04:34 PM

OK. I have two "high end" feature packs that I never pulled the plastic off of until now. I'm reading through them to see exactly what options they were purchased with.

Andy,

I cant find the PM that had a awesome suggestion for a software based firewall. It was a AZ guy out of the Flagstaff area.. I ALWAYS forget his name.. he has a son into the 914's also "Mike"


B

Posted by: NoEcm Apr 19 2006, 04:38 PM

These are all the feature sets available for the 2600 series routers:

ENTERPRISE BASIC
ENTERPRISE PLUS
ENTERPRISE PLUS IPSEC 3DES
ENTERPRISE PLUS IPSEC 56
ENTERPRISE PLUS/H323 MCM
ENTERPRISE/FW/IDS PLUS IPSEC 3DES
ENTERPRISE/FW/IDS PLUS IPSEC 56
ENTERPRISE/SNASW PLUS
ENTERPRISE/SNASW PLUS IPSEC 3DES
ENTERPRISE/SNASW PLUS IPSEC 56
IP
IP PLUS
IP PLUS BASIC W/O HD ANALOG/AIM ATM/VOICE
IP PLUS BASIC W/O SWITCHING
IP PLUS IPSEC 3DES
IP PLUS IPSEC 56
IP/FW/IDS
IP/FW/IDS PLUS IPSEC 3DES
IP/FW/IDS PLUS IPSEC 3DES BASIC
IP/FW/IDS PLUS IPSEC 56
IP/H323
IP/H323 PLUS BASIC
IP/IPX/APPLETALK
IP/IPX/AT/DEC
IP/IPX/AT/DEC PLUS
IP/IPX/AT/DEC/FW/IDS PLUS
IP/IPX/AT/FW/IDS PLUS BASIC
REMOTE ACCESS SERVER
TELCO FEATURE SET


The minimum feature set that you'll be looking for is IP/FW/IDS

Posted by: SirAndy Apr 19 2006, 04:43 PM

alright, it's got 2 x "T1 DSU/CSU" ports, 2 x "10/100 Ethernet Ports", 1 x "Console Port", 1 x "AUX Port" ...

version number is "2621" ...

any easy way to find out what features it has loaded ???

Andy

Posted by: fiid Apr 19 2006, 04:44 PM

Aight: This is a braindump.

Using a 2600 as a firewall might do it. There are some features like reflexive acls and layer 7 filtering stuff that can provide a lot of protection.

It might also be advisable to download a vulnerability scanning tool like nessus and make sure it doesn't dig anything up. (it will - you need to patch and fix until it doesn't)

I have a much better idea how to lock down a linux machine than windows - personally I'd probably put a linux proxying filter in front of a windows machine rather than exposing windows directly to the net. I'd also add a hardware device probably.

On my home network I use a Fortinet device which not only does firewalling but also incorporates intrusion detection and prevention, and vpn. We have some corporate contacts at fortinet, so I'm asking around to see if I can scavange up a box for the site. I'll let you know if I come up with anything.

Main thing is to make sure all unnecesary services are not accessible to the net.
I just scanned the server and there is way too much open...

I'm not going to talk anymore here because I'm just giving information away to the bad guys as well as the admins.

Posted by: fiid Apr 19 2006, 04:48 PM

Hook the 2600 up to a serial port (via the console line) and use hyperterminal to talk to it (9600/8/n/1)

then do show version.

you could hook it up to the network and telnet into it and get the same results.


You can bring it over here if you like (maybe wait til 5) and we could look at it.

Posted by: Brad Roberts Apr 19 2006, 04:49 PM

Do the ports have the "cards" in them, or does it have blank covers over the 4 available "slots"?

I know the console port and the Aux port *should* be RS232


B

Posted by: SirAndy Apr 19 2006, 04:49 PM

that sounds like a plan. 5ish would work. PM me your address and cell# ...

i'll buy the pizza!
Andy

Posted by: Brad Roberts Apr 19 2006, 04:50 PM

Run it over to Fiid

He probably has the correct cable you need also.


B

Posted by: SirAndy Apr 19 2006, 04:50 PM

two blank, two filled with said cards ...
Andy

Posted by: Brad Roberts Apr 19 2006, 04:53 PM

I cant tell from your post what it has in it.

Typically they would have one T-1 card and one Ethernet card. The cards are probably cheap right now, but they were not at one point in time.

Just curious.


B

Posted by: SirAndy Apr 19 2006, 04:56 PM

it's got TWO ethernet ports and TWO T1 ports ...

Andy

Posted by: r_towle Apr 19 2006, 04:59 PM

that will make it easier to isolate traffic. two ehternet ports...
Two t1 ports is for redundancy.

Posted by: SirAndy Apr 19 2006, 05:20 PM

damm fiid, i don't even have to drive, i can just walk over to your place!

Andy

Posted by: turboman808 Apr 19 2006, 05:22 PM

Got certified in it but never touched one since. Couldn't remember to save my life

Posted by: fiid Apr 19 2006, 05:42 PM

Which building are you in then?

Posted by: SirAndy Apr 19 2006, 05:49 PM

if you guys didn't have the tinted windows i could see you staring at the monitor right now!

i'm right across 92 in the office buildings next to the mall, to the left.



Attached image(s)

Posted by: lapuwali Apr 19 2006, 06:16 PM

Both of you could walk to my house...

fiid, I think you're in the same building my wife works in...

Posted by: Verruckt Apr 19 2006, 06:30 PM

Andy...

a 2621 is similar to a 2651 which i have. The "feature set" will depend on what IOS you have loaded on it. The 2621 will handle some decent ones, but is limited by the onboard flash memory capacity. We have an account w/ cisco, so i can get you whatever IOS version you want. Just bear in mind that you are limited by the capacity. You can certainly use a router for a firewall with a good acl, but it wont be as good. Thats general speak though. "Should" be more than adequate for this site. And it will more than handle the bandwidth for this site. Not sure what else you have on your rack, but you might be able to put this out in front of alot more than just the club server.

So I take it you don't need the Nokia??

Posted by: Verruckt Apr 19 2006, 06:34 PM

I forgot to add...

Take out those T1 wic cards and sell them on ebay. And buy some block off plates to cover the slots. hell, i might be able to dig up a couple to send you. Lot's of places buy wic cards on the bay. We do in a pinch sometimes. And we're about ready to unload about 300 isdn wics on there soon.

Anywho, they are not needed by you. All you need are the two onboard ehternet, and the console port. If you don't have a console cable, you can get one pretty easily.

Posted by: siverson Apr 19 2006, 06:40 PM

I know this was asked long ago, but why is the club still maintaining it's own hardware. What a pain that must be...

The storage/cpu/bandwidth requirements for this site can not be that great. Why don't you (via club funds/donations) just pay a couple hundred dollars a month on a great server that will never go down and is very secure?

No affiliation, but just for reference:

http://www.rackspace.com/

http://www.serverbeach.com/

The value that admins bring is content and community, not installing and maintaining hardware. That's my $0.02.

-Steve

Posted by: vortrex Apr 19 2006, 07:21 PM

why don't you just throw a PC in front running IPcop?

http://www.ipcop.org/

I can get you IOS for the 2600 if you want it, but I think there are better solutions.

Posted by: redshift Apr 19 2006, 08:34 PM

Awesome THE FIREWALL IS WORKING MOSTLY..


M

Posted by: Verruckt Apr 19 2006, 08:35 PM

From memory, Andy isn't a fan of the penguin

Maybe he's seen the light since then?

Posted by: ThinAir914 Apr 19 2006, 09:34 PM

Hey B!

It was me! The product is http://www.ipcop.org/
There is a good intro article on it at http://linuxgazette.net/125/howell.html

I replaced a GNAT box at work with this when I needed to set up a VPN and it has worked great. It's free so the price is right, but the big thing is that it gets rave reviews from lots of well respected sources.

For Andy's benefit - yes it's based on Linux, but in terms of operating it you'd hardly know it. Don't fear the Penguin!

Posted by: dgw Apr 19 2006, 10:45 PM

Gee, I work on Metro Center Drive in the buildings with no name. I don't know squat about Cisco stuff though.

Posted by: SirAndy Apr 19 2006, 11:12 PM

i never said that! they can be a life-saver if you're lost near the pole and you need someone to schnuggle up with ...



a few things, not aimed at anyone in particular ...

we don't "rent" from someone because right now, the hosting is *free* ...
i'm using phased out equipment from my company to run this site on and my company also picks up the bill for the bandwidth.
plus, i don't have to ask anybody if i want to run PHP or Perl or mySQL or MS-SQL or Oracle or a Quake Server or a GT-Ledgends dedicated server or set up a few little websites for friends ...
and no one bitches if i fuck up and crash the box and have to re-start it. or, god forbid, try to update some software.

try that on a "rented" space ...



i'm not against linux, it's simply that for certain things, i prefer dedicated hardware.
and i don't need a firewall with all bells & whistles and protocol integrety filters and IP subnet mask based banning and what ever other load of BS comes with it ...
we made it for 3 years on a box on the open internet and we only got hacked because of a bug in the BBS software and PHP. no firewall would have protected us against that anyways.
i always kept the box pretty tight.

all i really need the firewall for is to block any non-essential ports. and it is my understanding that the cisco box can do just that.

unless *you* are willing to spent a shitload of time and money to get us hooked up with all the bling bling that is out there AND deliver it pre-configured, i'd really apprechiate if you guys kept this constructive ...


btw. BIG thanks to fiid to spend a few hours with me today to go through the cisco box ...
Andy

Posted by: boxsterfan Apr 19 2006, 11:57 PM

Andy,

I am a CISSP, CCNP, CCDP, and MCSE. Live in San Fran.

Going out of town this weekend, but could work on it next week in the evening.

Not sure what your existing setup is, but for IOS on a 2600 with the FW feature set you need at least 16MB flash and 32MB RAM in it (probably bare minimum). I'll admit that I didn't look those numbers up, but installing an IOS image with FW Feature set does require some more "meat".

To be honest, I have only run a Cisco router as a FW once as companies I have worked for buy PIX's (all flavors), ISS M Series or Checkpoint boxes. A used PIX 506E would be around $800 and a used PIX 501 a little less. However, the PIX doesn't support WAN interfaces so you would need a separate router for that (assuming you have some router right now or I wouldn't be typing.)

PM me and I'll try to get back to you tomorrow before my flight.

Posted by: SirAndy Apr 20 2006, 12:12 AM

thanks for the info!

i'm afraid this box has not been up to date for a while. we looked up the specs according to the IOS version and it seems it's pretty bare bones in terms of features and memory ...

any help is apprechiated! i just got home and got it hooked up to my PC and i'm digging around using hyperterminal.
damm, i hadn't used that in years ...

anyways, here's the version screen (nevermind the top that has srcolled off the virtual screen):

you gotta click on the damm picture to see the full size version !


Attached thumbnail(s)

Posted by: boxsterfan Apr 20 2006, 12:38 AM

OK...so 32MB RAM and 8MB of Flash. I have a "dead" router at work that you could have the RAM (additional 32MB). Unfortunately, the flash is bad in the dead router I have.

The image on that router you have is an "IP Load" (the "i" in the image name) verse an "Enterpise Load" ("js" in the name) and doesn't have the FW image on it from what I can tell. Enterprise load handles IP/DLSW/IPX.

Easy way to test is:

From router> prompt type "en"
Next at the router# type "config t"
Next at the "router#(config) prompt type "int faste0/0"
At the "router#(config-if) prompt type "?"

Send me the output from the "?" command. Looking to see if it has a command named "inside" or "outside". If not, no FW Image.

So...you need a larger flash memory I believe and an IOS image with the FW Feature set (which I am sure someone can acquire). Flash really should be 32MB for a modern image and 64MB of RAM.

Bottom line is now you are in to spending money for a non-stateful firewall setup.

Options:

One would be to set the router up anyways as-is and implement ACL's and some NULL interface routing for unused address space (if any).

Two would be sell the RAM, T1 WIC's, and router separate or as a whole and buy a used PIX506/501. A PIX 501 has:

The PIX 501 includes an integrated 4-port Fast Ethernet (10/100) switch and a Fast Ethernet (10/100) interface. Ideal for securing high-speed broadband environments, the Cisco PIX 501 delivers up to 60 Mbps of firewall throughput, 3 Mbps of Triple Data Encryption Standard (3DES) VPN throughput, and 4.5 Mbps of Advanced Encryption Standard-128 (AES) VPN throughput.

I googled for a PIX 501 used and came up with a cost of $475. I'll get you any updated 501 images for the OS.

Posted by: ThinAir914 Apr 20 2006, 01:07 AM

My thoughts exactly when the firewall idea first came up. Although an application layer firewall such as ISA Server might have helped, a "basic" firewall would not have helped for this problem.

It's my understanding that hardware firewalls are always going to be faster than a software firewall, but if the CISCO box doesn't work out for some reason then IP Cop fits your description to a "T"

I'm like you, Andy. I don't care if it's Windows or Linux as long as it's a soluton that works. IP Cop works.

Posted by: Brian Mifsud Apr 20 2006, 08:42 AM

Too bad this didn't come up 3 months ago when I still worked at Cisco! I might still be able to buy stuff discounted thru my buddies who are still employees. Hell, we had a bunch of the GSR12000 series kicking around which are still more horsepower than most service providers can keep busy.

Let me know and I can call in a few favors.. never used my employee discount and most of my ex-coworkers haven't either.

Brian

Posted by: anthony Apr 21 2006, 09:52 AM

We should definitely get something like the PIX 501 or similar easy to configure and maintain firewall appliance. I see that the PIX are selling on ebay for around $200. I've had good luck with Zywall at the office. Sonicwalls can also be had on ebay for cheap. I'm sure the members here would pitch in with the costs. Or maybe someone has a used Zywall, PIX, or Sonicwall sitting on a shelf going unused.

Posted by: brer Apr 21 2006, 09:55 AM

pull back that firewall and check for rust at the base of the VPN.
water gets into the ports and the corrosion starts pretty quick...

Posted by: ThinAir914 Apr 21 2006, 10:26 PM

Posted by: cooltimes Apr 22 2006, 12:31 AM

Not off topic. You can find some basement price CISCO system deals here:
It's a 365 days a year auction of used government property. Some is junk and other stuff is real treasure.

http://www.govliquidation.com/

Look under CPU.