got a "firewall" for the club, anyone know CISCO 2600? Options

[SirAndy]

damm fiid, i don't even have to drive, i can just walk over to your place! (IMG:style_emoticons/default/WTF.gif)

(IMG:style_emoticons/default/biggrin.gif) Andy

[turboman808]

Got certified in it but never touched one since. Couldn't remember to save my life (IMG:style_emoticons/default/mad.gif)

[fiid]

Which building are you in then?

[SirAndy]

Which building are you in then?

if you guys didn't have the tinted windows i could see you staring at the monitor right now!

i'm right across 92 in the office buildings next to the mall, to the left. (IMG:style_emoticons/default/bye1.gif)

[lapuwali]

Both of you could walk to my house...

fiid, I think you're in the same building my wife works in...

[Verruckt]

Andy...

a 2621 is similar to a 2651 which i have. The "feature set" will depend on what IOS you have loaded on it. The 2621 will handle some decent ones, but is limited by the onboard flash memory capacity. We have an account w/ cisco, so i can get you whatever IOS version you want. Just bear in mind that you are limited by the capacity. You can certainly use a router for a firewall with a good acl, but it wont be as good. Thats general speak though. "Should" be more than adequate for this site. And it will more than handle the bandwidth for this site. Not sure what else you have on your rack, but you might be able to put this out in front of alot more than just the club server.

So I take it you don't need the Nokia??

[Verruckt]

I forgot to add...

Take out those T1 wic cards and sell them on ebay. And buy some block off plates to cover the slots. hell, i might be able to dig up a couple to send you. Lot's of places buy wic cards on the bay. We do in a pinch sometimes. And we're about ready to unload about 300 isdn wics on there soon. (IMG:style_emoticons/default/happy11.gif)

Anywho, they are not needed by you. All you need are the two onboard ehternet, and the console port. If you don't have a console cable, you can get one pretty easily.

[siverson]

I know this was asked long ago, but why is the club still maintaining it's own hardware. What a pain that must be...

The storage/cpu/bandwidth requirements for this site can not be that great. Why don't you (via club funds/donations) just pay a couple hundred dollars a month on a great server that will never go down and is very secure?

No affiliation, but just for reference:

http://www.rackspace.com/

http://www.serverbeach.com/

The value that admins bring is content and community, not installing and maintaining hardware. That's my $0.02.

-Steve

[vortrex]

why don't you just throw a PC in front running IPcop?

http://www.ipcop.org/

I can get you IOS for the 2600 if you want it, but I think there are better solutions.

[redshift]

Awesome THE FIREWALL IS WORKING MOSTLY..


M

[Verruckt]

why don't you just throw a PC in front running IPcop?

http://www.ipcop.org/

I can get you IOS for the 2600 if you want it, but I think there are better solutions.

From memory, Andy isn't a fan of the penguin (IMG:style_emoticons/default/screwy.gif)

Maybe he's seen the light since then? (IMG:style_emoticons/default/confused24.gif)

[ThinAir]

OK. I have two "high end" feature packs that I never pulled the plastic off of until now. I'm reading through them to see exactly what options they were purchased with.

Andy,

I cant find the PM that had a awesome suggestion for a software based firewall. It was a AZ guy out of the Flagstaff area.. I ALWAYS forget his name.. he has a son into the 914's also "Mike"

B

Hey B!

It was me! The product is IP Cop
There is a good intro article on it at Linux Gazette

I replaced a GNAT box at work with this when I needed to set up a VPN and it has worked great. It's free so the price is right, but the big thing is that it gets rave reviews from lots of well respected sources.

For Andy's benefit - yes it's based on Linux, but in terms of operating it you'd hardly know it. Don't fear the Penguin!

[dgw]

Which building are you in then?

if you guys didn't have the tinted windows i could see you staring at the monitor right now!

i'm right across 92 in the office buildings next to the mall, to the left. (IMG:style_emoticons/default/bye1.gif)

Gee, I work on Metro Center Drive in the buildings with no name. I don't know squat about Cisco stuff though.

[SirAndy]

From memory, Andy isn't a fan of the penguin

i never said that! they can be a life-saver if you're lost near the pole and you need someone to schnuggle up with ... (IMG:style_emoticons/default/cool_shades.gif)



a few things, not aimed at anyone in particular ...

we don't "rent" from someone because right now, the hosting is *free* ...
i'm using phased out equipment from my company to run this site on and my company also picks up the bill for the bandwidth.
plus, i don't have to ask anybody if i want to run PHP or Perl or mySQL or MS-SQL or Oracle or a Quake Server or a GT-Ledgends dedicated server or set up a few little websites for friends ...
and no one bitches if i fuck up and crash the box and have to re-start it. or, god forbid, try to update some software.

try that on a "rented" space ... (IMG:style_emoticons/default/blink.gif)



i'm not against linux, it's simply that for certain things, i prefer dedicated hardware.
and i don't need a firewall with all bells & whistles and protocol integrety filters and IP subnet mask based banning and what ever other load of BS comes with it ...
we made it for 3 years on a box on the open internet and we only got hacked because of a bug in the BBS software and PHP. no firewall would have protected us against that anyways.
i always kept the box pretty tight.

all i really need the firewall for is to block any non-essential ports. and it is my understanding that the cisco box can do just that.

unless *you* are willing to spent a shitload of time and money to get us hooked up with all the bling bling that is out there AND deliver it pre-configured, i'd really apprechiate if you guys kept this constructive ...


btw. BIG thanks to fiid to spend a few hours with me today to go through the cisco box ...
(IMG:style_emoticons/default/smilie_pokal.gif) Andy

[boxsterfan]

Andy,

I am a CISSP, CCNP, CCDP, and MCSE. Live in San Fran.

Going out of town this weekend, but could work on it next week in the evening.

Not sure what your existing setup is, but for IOS on a 2600 with the FW feature set you need at least 16MB flash and 32MB RAM in it (probably bare minimum). I'll admit that I didn't look those numbers up, but installing an IOS image with FW Feature set does require some more "meat".

To be honest, I have only run a Cisco router as a FW once as companies I have worked for buy PIX's (all flavors), ISS M Series or Checkpoint boxes. A used PIX 506E would be around $800 and a used PIX 501 a little less. However, the PIX doesn't support WAN interfaces so you would need a separate router for that (assuming you have some router right now or I wouldn't be typing.) (IMG:style_emoticons/default/biggrin.gif)

PM me and I'll try to get back to you tomorrow before my flight.

[SirAndy]

Not sure what your existing setup is, but for IOS on a 2600 with the FW feature set you need at least 16MB flash and 32MB RAM in it (probably bare minimum). I'll admit that I didn't look those numbers up, but installing an IOS image with FW Feature set does require some more "meat".

To be honest, I have only run a Cisco router as a FW once as companies I have worked for buy PIX's (all flavors), ISS M Series or Checkpoint boxes. A used PIX 506E would be around $800 and a used PIX 501 a little less. However, the PIX doesn't support WAN interfaces so you would need a separate router for that (assuming you have some router right now or I wouldn't be typing.) (IMG:style_emoticons/default/biggrin.gif)

thanks for the info!

i'm afraid this box has not been up to date for a while. we looked up the specs according to the IOS version and it seems it's pretty bare bones in terms of features and memory ...

any help is apprechiated! i just got home and got it hooked up to my PC and i'm digging around using hyperterminal.
damm, i hadn't used that in years ...

anyways, here's the version screen (nevermind the top that has srcolled off the virtual screen):

you gotta click on the damm picture to see the full size version !

[boxsterfan]

OK...so 32MB RAM and 8MB of Flash. I have a "dead" router at work that you could have the RAM (additional 32MB). Unfortunately, the flash is bad in the dead router I have.

The image on that router you have is an "IP Load" (the "i" in the image name) verse an "Enterpise Load" ("js" in the name) and doesn't have the FW image on it from what I can tell. Enterprise load handles IP/DLSW/IPX.

Easy way to test is:

From router> prompt type "en"
Next at the router# type "config t"
Next at the "router#(config) prompt type "int faste0/0"
At the "router#(config-if) prompt type "?"

Send me the output from the "?" command. Looking to see if it has a command named "inside" or "outside". If not, no FW Image.

So...you need a larger flash memory I believe and an IOS image with the FW Feature set (which I am sure someone can acquire). Flash really should be 32MB for a modern image and 64MB of RAM.

Bottom line is now you are in to spending money for a non-stateful firewall setup.

Options:

One would be to set the router up anyways as-is and implement ACL's and some NULL interface routing for unused address space (if any).

Two would be sell the RAM, T1 WIC's, and router separate or as a whole and buy a used PIX506/501. A PIX 501 has:

The PIX 501 includes an integrated 4-port Fast Ethernet (10/100) switch and a Fast Ethernet (10/100) interface. Ideal for securing high-speed broadband environments, the Cisco PIX 501 delivers up to 60 Mbps of firewall throughput, 3 Mbps of Triple Data Encryption Standard (3DES) VPN throughput, and 4.5 Mbps of Advanced Encryption Standard-128 (AES) VPN throughput.

I googled for a PIX 501 used and came up with a cost of $475. I'll get you any updated 501 images for the OS.

[ThinAir]

...and i don't need a firewall with all bells & whistles and protocol integrety filters and IP subnet mask based banning and what ever other load of BS comes with it ...

My thoughts exactly when the firewall idea first came up. Although an application layer firewall such as ISA Server might have helped, a "basic" firewall would not have helped for this problem.

It's my understanding that hardware firewalls are always going to be faster than a software firewall, but if the CISCO box doesn't work out for some reason then IP Cop fits your description to a "T"

I'm like you, Andy. I don't care if it's Windows or Linux as long as it's a soluton that works. IP Cop works.

[Brian Mifsud]

Too bad this didn't come up 3 months ago when I still worked at Cisco! I might still be able to buy stuff discounted thru my buddies who are still employees. Hell, we had a bunch of the GSR12000 series kicking around which are still more horsepower than most service providers can keep busy.

Let me know and I can call in a few favors.. never used my employee discount and most of my ex-coworkers haven't either.

Brian

[anthony]

We should definitely get something like the PIX 501 or similar easy to configure and maintain firewall appliance. I see that the PIX are selling on ebay for around $200. I've had good luck with Zywall at the office. Sonicwalls can also be had on ebay for cheap. I'm sure the members here would pitch in with the costs. Or maybe someone has a used Zywall, PIX, or Sonicwall sitting on a shelf going unused.