Pix software upgrade

[sandmanx]

I've got a Pix 506 here at work. The software version on it now doesn't allow VPN passthrough, but from what I've read, the last(506 is discontinued) version does. I've never updated the OS on this before, since we haven't had a reason. What I'm wondering is how much would it cost to upgrade versions? I'm totally lost on the pricing structure of it, but it looks like it costs almost as much as buying a new Pix 506e, which isn't worth the cost.

I can live with the current version, but I'd like to be able to support VPN passthrough in case we need it. Here is the relavant info from a 'show version' command:

Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.0(2)

Compiled on Fri 07-Jun-02 17:49 by morlee

Firewall up 21 days 3 hours

Hardware: PIX-506, 32 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 8MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB

 

[Fint]

I don't think it costs anything. If you have a CCO account, just login and download whatever version you want (assuming you meet the hardware requirements). Now, if you want 7.0, and thus, have to buy a new flash card and new RAM, that may be quite expensive. Last time I checked, the 16MB Flash cards were about $500 on eBay (no idea about new).

pix624.bin
PIX OS version 6.2(4) software. Requires a minimum of 8 MB Flash and 16 MB RAM.

pix702.bin
PIX OS version 7.0(2) software. Requires a minimum of 16 MB Flash and 64 MB RAM. IMPORTANT: Read the Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0 and Release Note prior to downloading this release.

 

[RokleM]

I've got a Pix 506 here at work. The software version on it now doesn't allow VPN passthrough, but from what I've read, the last(506 is discontinued) version does.

Where did you get this information? I've worked with PIX's for years, and have never heard of "VPN pass-through" on one of them. That is the type of stuff you find on $25 off the shelf home routers. We were opening holes in the PIX's to allow this traffic well before the home routers started adding this feature. All you have to do to enable your users to VPN outbound is open the right ports and/or protocols. First thing to do is, find what client are they using outbound (as almost every client has different port/protocol requirements).

I don't think it costs anything. If you have a CCO account, just login and download whatever version you want (assuming you meet the hardware requirements). Now, if you want 7.0, and thus, have to buy a new flash card and new RAM, that may be quite expensive. Last time I checked, the 16MB Flash cards were about $500 on eBay (no idea about new).

Fint, lots of good information, but way incorrect. First, it actually does cost something. Cisco support and software is not free, and the software is definitely not for public distribution. Two, he has the EOL (end of life) 506. Three, being that he has a 506e, you can't slap a new PCI/WIC general flash card into it. The 501 and 506 model is sold mostly "as is" from Cisco. Four, in addition, it wouldn't matter anyway because 7.x does not currently support the 501 or 506 series.


Personally, I'd load up 6.2(4) or 6.3(5), but that's just me.

 

[NetJunkie]

Everything the guy above said is correct.

 

[Wolf-R1]

Where did you get this information? I've worked with PIX's for years, and have never heard of "VPN pass-through" on one of them. That is the type of stuff you find on $25 off the shelf home routers. We were opening holes in the PIX's to allow this traffic well before the home routers started adding this feature. All you have to do to enable your users to VPN outbound is open the right ports and/or protocols. First thing to do is, find what client are they using outbound (as almost every client has different port/protocol requirements).




Fint, lots of good information, but way incorrect. First, it actually does cost something. Cisco support and software is not free, and the software is definitely not for public distribution. Two, he has the EOL (end of life) 506. Three, being that he has a 506e, you can't slap a new PCI/WIC general flash card into it. The 501 and 506 model is sold mostly "as is" from Cisco. Four, in addition, it wouldn't matter anyway because 7.x does not currently support the 501 or 506 series.


Personally, I'd load up 6.2(4) or 6.3(5), but that's just me.

He is correct. All PIX's have implicit deny statements to everything. In order to allow traffic through you have to allow it. Many firewalls allow outgoing traffic by default however the PIX firewalls do not.

 

[sandmanx]

He is correct. All PIX's have implicit deny statements to everything. In order to allow traffic through you have to allow it. Many firewalls allow outgoing traffic by default however the PIX firewalls do not.

I don' remember where I read up on that. I'll take a look at what ports I'm trying to use and open them up outbound then.

Thanks.

 

[Wolf-R1]

I don' remember where I read up on that. I'll take a look at what ports I'm trying to use and open them up outbound then.

Thanks.

Depends on what kind of VPN you're going to do really:

Windows VPNs use PPTP for their secure channels. This info goes for any PPTP VPN tho -
TCP 1723 - PPTP control channel, used for PPTP VPN tunnels.
IP 47 (GRE) - PPTP data channel, used for PPTP VPN tunnels.

IPSec VPNs -
UDP 500 - IPSec negotiation.
IP 51 (AH) - IPSec negotiation.
IP 50 (ESP) - IPSec data.


Not sure how SSL type of VPNs work. OpenVPN is an SSL VPN I believe.
TCP 443 - SSL

 

[RokleM]

A good summarized post by Wolf-R1. That included a lot of the ports/protocols that various clients use. I would throw in UDP/TCP 10000 as well (if you're shooting for full open compatibility). Cisco and others can be configured to use that.

On SSL VPN's, I have yet to mess with them as well (still kind of new so I stay away for the time being). However, it is my understanding that you need just standard TCP/443 open. Again, not having done it, not 100%.