got a "firewall" for the club, anyone know CISCO 2600? Options

[SirAndy]

i got a CISCO 2600 Router/Firewall/VPN/etc. for *FREE* ...

anyone here know how to set up this thing? i'm sure i could figure it out myself, but if we have someone here who has worked with that box before, that would save me a whole bunch of headaches ...

(IMG:style_emoticons/default/beerchug.gif) Andy

CISCO 2600 Documentation

[r_towle]

i got a CISCO 2600 Router/Firewall/VPN/etc. for *FREE* ...

anyone here know how to set up this thing? i'm sure i could figure it out myself, but if we have someone here who has worked with that box before, that would save me a whole bunch of headaches ...

(IMG:style_emoticons/default/beerchug.gif) Andy

CISCO 2600 Documentation

dude, I Pm'd you the guys name...

Rich

[Brad Roberts]

Last time I checked.. the 2600 was a ROUTER not a firewall. You can build a access control list.. but I dont think that will help.

B << Cisco certified back in the day.. havent logged into one for over 3 years at this point.

Andy,

I was sent a PM with a software solution. Let me get it to you for review.

Come to think of it.... I used 2600's for years. They worked good for point to point T1's and for business' with 2-3 thousand users hitting IIS websites. We always combined it with a Cisco PIX firewall.


B

[SirAndy]

i know it's a router, but the docs say it has VPN and Firewall build in ...

is that not true?
(IMG:style_emoticons/default/confused24.gif) Andy

[914werke]

Last time I checked.. the 2600 was a ROUTER not a firewall. You can build a access control list.. but I dont think that will help.

B << Cisco certified back in the day.. havent logged into one for over 3 years at this point.

Andy,

I was sent a PM with a software solution. Let me get it to you for review.

Come to think of it.... I used 2600's for years. They worked good for point to point T1's and for business' with 2-3 thousand users hitting IIS websites. We always combined it with a Cisco PIX firewall.


B

Brad you beat me to the punch. Ive got a gross of the things I need to off due to upgrades necessary for VOIP telephony. (IMG:style_emoticons/default/chair.gif)

[lapuwali]

Any router is just a computer with dedicated hardware to help with networking. A firewall is just software. New software + old router = firewall/vpn/router. The 2600 series is pretty venerable, but I doubt our bandwidth usage is enough to justify anything more.

No, I have no idea how to set up the firewall stuff...

[SirAndy]

The 2600 series is pretty venerable

i guess that's why it was free ...

(IMG:style_emoticons/default/cool_shades.gif) Andy

[Brad Roberts]

They work VERY well!! Thanks to whomever "gave it to us"

Andy,

Cisco sells "Feature packs" that unlock different configs in the router. They ship it locked down with only what you pay for..then send you different "keys" to unlock the different features without selling you a whole new solution.

Hang on..I'll call


B

[Brad Roberts]

OK. I have two "high end" feature packs that I never pulled the plastic off of until now. I'm reading through them to see exactly what options they were purchased with.

Andy,

I cant find the PM that had a awesome suggestion for a software based firewall. It was a AZ guy out of the Flagstaff area.. I ALWAYS forget his name.. he has a son into the 914's also "Mike"


B

[NoEcm]

These are all the feature sets available for the 2600 series routers:

ENTERPRISE BASIC
ENTERPRISE PLUS
ENTERPRISE PLUS IPSEC 3DES
ENTERPRISE PLUS IPSEC 56
ENTERPRISE PLUS/H323 MCM
ENTERPRISE/FW/IDS PLUS IPSEC 3DES
ENTERPRISE/FW/IDS PLUS IPSEC 56
ENTERPRISE/SNASW PLUS
ENTERPRISE/SNASW PLUS IPSEC 3DES
ENTERPRISE/SNASW PLUS IPSEC 56
IP
IP PLUS
IP PLUS BASIC W/O HD ANALOG/AIM ATM/VOICE
IP PLUS BASIC W/O SWITCHING
IP PLUS IPSEC 3DES
IP PLUS IPSEC 56
IP/FW/IDS
IP/FW/IDS PLUS IPSEC 3DES
IP/FW/IDS PLUS IPSEC 3DES BASIC
IP/FW/IDS PLUS IPSEC 56
IP/H323
IP/H323 PLUS BASIC
IP/IPX/APPLETALK
IP/IPX/AT/DEC
IP/IPX/AT/DEC PLUS
IP/IPX/AT/DEC/FW/IDS PLUS
IP/IPX/AT/FW/IDS PLUS BASIC
REMOTE ACCESS SERVER
TELCO FEATURE SET


The minimum feature set that you'll be looking for is IP/FW/IDS

[SirAndy]

alright, it's got 2 x "T1 DSU/CSU" ports, 2 x "10/100 Ethernet Ports", 1 x "Console Port", 1 x "AUX Port" ...

version number is "2621" ...

any easy way to find out what features it has loaded ???

(IMG:style_emoticons/default/wink.gif) Andy

[fiid]

Aight: This is a braindump.

Using a 2600 as a firewall might do it. There are some features like reflexive acls and layer 7 filtering stuff that can provide a lot of protection.

It might also be advisable to download a vulnerability scanning tool like nessus and make sure it doesn't dig anything up. (it will - you need to patch and fix until it doesn't)

I have a much better idea how to lock down a linux machine than windows - personally I'd probably put a linux proxying filter in front of a windows machine rather than exposing windows directly to the net. I'd also add a hardware device probably.

On my home network I use a Fortinet device which not only does firewalling but also incorporates intrusion detection and prevention, and vpn. We have some corporate contacts at fortinet, so I'm asking around to see if I can scavange up a box for the site. I'll let you know if I come up with anything.

Main thing is to make sure all unnecesary services are not accessible to the net.
I just scanned the server and there is way too much open...

I'm not going to talk anymore here because I'm just giving information away to the bad guys as well as the admins.

[fiid]

Hook the 2600 up to a serial port (via the console line) and use hyperterminal to talk to it (9600/8/n/1)

then do show version.

you could hook it up to the network and telnet into it and get the same results.


You can bring it over here if you like (maybe wait til 5) and we could look at it.

[Brad Roberts]

alright, it's got 2 x "T1 DSU/CSU" ports, 2 x "10/100 Ethernet Ports", 1 x "Console Port", 1 x "AUX Port" ...

version number is "2621" ...

any easy way to find out what features it has loaded ???

Do the ports have the "cards" in them, or does it have blank covers over the 4 available "slots"?

I know the console port and the Aux port *should* be RS232


B

[SirAndy]

You can bring it over here if you like (maybe wait til 5) and we could look at it.

that sounds like a plan. 5ish would work. PM me your address and cell# ...

i'll buy the pizza!
(IMG:style_emoticons/default/chowtime.gif) Andy

[Brad Roberts]

Run it over to Fiid (IMG:style_emoticons/default/biggrin.gif)

He probably has the correct cable you need also.


B

[SirAndy]

Do the ports have the "cards" in them, or does it have blank covers over the 4 available "slots"?

I know the console port and the Aux port *should* be RS232

two blank, two filled with said cards ...
(IMG:style_emoticons/default/smile.gif) Andy

[Brad Roberts]

I cant tell from your post what it has in it.

Typically they would have one T-1 card and one Ethernet card. The cards are probably cheap right now, but they were not at one point in time.

Just curious.


B

[SirAndy]

it's got TWO ethernet ports and TWO T1 ports ...

(IMG:style_emoticons/default/wink.gif) Andy

[r_towle]

that will make it easier to isolate traffic. two ehternet ports...
Two t1 ports is for redundancy.