«

Should I buy a Cisco Pix 501 and a 605 E, or two 501s? What are the
differences? Also, do I really need the SmartNet service?

I need to connect a remote branch to our main system using DSL. I've
been recommended a Cisco Pix 605 E for the main office, and a Cisco
Pix 501 for the branch.

The main office consists of a single Windows 2000 Server with Appox.
30 -35 local clients with 15 - 20 networked printers. I'm told the
networked printers count for an IP address. Some of the printers are
connected to a network device that handles 3 printers (I think with a
single IP address).

I could probably get away with a 501 for the branch with the standard
10 user licenses, as there are 4 pcs & 5 printers. I could always
upgrade to the 50 user license in the future if needed. How
complicated is it to upgrade to 50 users by the way and what's
involved? Is it something I can do myself as a pc specialist, or does
it require a networking expert like my MSCE?

What would the advantage be to having a 605 E instead of a 501 with 50
licenses at the main office? We probably won't be having people
connect from their homes, so it's probably just those 4 pcs. Does the
605 E offer a lot more security protection, and is it necessary? The
501 should offer much better protection than what we currently have,
but we're not having computer connect via the Internet currently.

Currently the branch connects to the server via very expensive 56k
dedicated line, so I don't think speed is too much of an issue. I
heard the 605 E has a 200mhz processor instead of a 133mhz or
something like that. The DSL connection should be much cheaper &
faster as a bonus.

My sales rep mentioned he has never sold a Pix without the Smartnet
service. He described the service as not only technical support, but
as a service that sends regular updates to the routers automatically,
sometimes several times a day, similar to virus definition updates.
Is this being explained correctly? Are you all subscribing to this
service for that reason? Is the Pix kind of worthless without this
service?

I have a MCSE that will help me hook up everything, so hopefully we
won't need the Smartnet for the technical support.

Thanks for any advice

P.S. I posted this message on a less active Cisco forum, and 2 people
both agreed the 501s should be fine, and that networked printers with
their own IP addresses don't count toward the licenses. Does everyone
on this forum agree?

In article <>,
Nate Goulet <> wrote:
:Should I buy a Cisco Pix 501 and a 605 E, or two 501s?

That's 506E, not 605E.

: What are the
:differences?

http://groups.google.ca/group/comp.s...16ca059fb7c2ef


:Also, do I really need the SmartNet service?

No.

The PIX 501 power connector is notably flaky, but instead of paying
fo a support contract, you could take the risk that it'll be fine
for you -- and if you bet wrong you could just buy another PIX.

PIX 7.0(*) is likely to be released sometime this year or very
early next for the 501 and 506E, and if you had a support contract
you would be entitled to a free version update, but you certainly
are not -required- to update your software, and you can always do
one-off purchases of new OS versions; the one-time cost is usually
no more than 3/4 of the price of a yearly support contract.

:I need to connect a remote branch to our main system using DSL.

No problem then. When your branch office connection goes down
and everyone is screaming at you to get it back up, you can
post about the problem on Usenet, and someone will usually answer
within two or three days. Hardly any questions here go unanswered for
more than 3 or 5 years, and the revised FAQ is expected to be out
by 2017 at latest.


:I've
:been recommended a Cisco Pix 605 E for the main office, and a Cisco
ix 501 for the branch.

:The main office consists of a single Windows 2000 Server with Appox.
:30 -35 local clients with 15 - 20 networked printers. I'm told the
:networked printers count for an IP address.

PIX 506E have no inherent limits on the number of internal IP addresses
they support.

PIX 501's are limited to 10, 50, or unlimited "users". A "user"
is a host with an active connection to the outside; static IP
translations do -not- count against the total from boot time until
there is first traffic to the address, but after that they count
permanently until the PIX is rebooted.

:How
:complicated is it to upgrade to 50 users by the way and what's
:involved?

Trivial. With current software, you log in, enter a single command,
and reboot to bring the new key into effect.

:Is it something I can do myself as a pc specialist, or does
:it require a networking expert like my MSCE?

If you can telnet or ssh, then you can easily put in a new key.
http://www.cisco.com/univercd/cc/td/....htm#wp1037845


oes the 605 E offer a lot more security protection

No, the 506E is nearly identical in command set to the 501. See the
model summary I linked to above.


:Currently the branch connects to the server via very expensive 56k
:dedicated line

:The DSL connection should be much cheaper &
:faster as a bonus.

DSL connections are almost always less reliable than a dedicated line.
If the connection is business critical, then you should go
with an ISP that offers an SLA (Service Level Agreement) with
an uptime guarantee sufficient for your needs; or you should put in
a backup link of some sort (through a completely different company
such as cable), or you should skip DSL and go for a a commercial-grade
technology.


:My sales rep mentioned he has never sold a Pix without the Smartnet
:service. He described the service as not only technical support, but
:as a service that sends regular updates to the routers automatically,
:sometimes several times a day, similar to virus definition updates.
:Is this being explained correctly?

No!!

The PIX has the ability to autoload new operating system updates,
but the PIX operating system is usually updated only a few times
per year.

There is absolutely nothing corresponding to virus definition updates
for the PIX.

There is also nothing in PIX 6.x (which the 501 and 506E run) that
would allow the PIX to reach out and pull in an updated configuration
[e.g., because you had changed the set of locations you wanted to
permit access to.] The closest to that is that you -can- have
"downloadable ACLs" that will be copied in from a RADIUS server.
It's not the same as what you describe.


:Are you all subscribing to this
:service for that reason? Is the Pix kind of worthless without this
:service?

We update the configuration on our PIXes every few days, but not
because of deficiencies in the PIX. We are in an environment that
is -required- to deny connections by default, and so we get requests
to open the rules up to allow a netmeeting or an electronic journal
that lives on an obscure port, etc..


:I have a MCSE that will help me hook up everything, so hopefully we
:won't need the Smartnet for the technical support.

: Thanks for any advice

If you are going to "set and forget" the PIXes, allowing a very
specific set of ports (e.g., outward http on port 80, and so what if
people start up a filesharing service), then you might be able to
do without the technical support. But if you anticipate that the
environment might be a bit more dynamic than that, then my -advice-
is that you get the support contract for at least the first year.
It literally takes -years- to learn all the ins and outs of a PIX.
If your security posture is "hands on" rather than "set and forget"
then chances are excellent that you'll find something you want answers
on until you get more accustomed to the PIX.

As you asked for advice, I would also advise you to figure out what
you are going to do if one of your PIX fries (e.g., brownout)
or dies, or starts rebooting itself endlessly. What is your plan
of action in such a case? If the plan is to buy a new one to replace
the old, then how quickly can your supplier deliver? Do they
keep stock in the city, or do they have to order them in? Will
they tell you how long the longest order backlog was within the last
year? Will your people still be able to work in the meantime?
How much will you lose for each hour or each day that the device
is out of action?


.S. I posted this message on a less active Cisco forum, and 2 people
:both agreed the 501s should be fine, and that networked printers with
:their own IP addresses don't count toward the licenses. Does everyone
n this forum agree?

As I indicated above, any host that communicates with the outside
potentially counts against the limit on a PIX 501. The PIX does not
distinguish between "computers" and "printers". "Communicates with the
outside" includes over the VPN. If your central site is monitoring the
printers (e.g., if you are running a print server there, or you have a
centralized networking monitoring host), or if people sometimes print
on remote printers [one of our people delivers documents to a remote
office by printing to the remote printer], or if you run a centralized
application (e.g., timesheet recording or accounting) that includes a
"print this page to a local printer" facility, then each addressible
network printer could potentially be active and counting against the
10-user license limit.

--
Studies show that the average reader ignores 106% of all statistics
they see in .signatures.

hehe

Thanks for the reply Walter.

I guess the first thing I need to do is run a scan on the network to
determine exactly how many network devices we have.

I'm told there are utilities like Super scan for doing this. Can
anytime tell me exactly how I can do this? I'm told to enter a
starting IP & ending IP, but i'm not sure what to enter.

We've already select a DSL company, and it's problem the only one
where the branch is, but i'll ask about a SLA (Service Level
Agreement).



On 13 May 2005 18:02:25 GMT, (Walter
Roberson) wrote:

>In article <>,
>Nate Goulet <> wrote:
>:Should I buy a Cisco Pix 501 and a 605 E, or two 501s?
>
>That's 506E, not 605E.
>
>: What are the
>:differences?
>
>http://groups.google.ca/group/comp.s...16ca059fb7c2ef
>
>
>:Also, do I really need the SmartNet service?
>
>No.
>
>The PIX 501 power connector is notably flaky, but instead of paying
>fo a support contract, you could take the risk that it'll be fine
>for you -- and if you bet wrong you could just buy another PIX.
>
>PIX 7.0(*) is likely to be released sometime this year or very
>early next for the 501 and 506E, and if you had a support contract
>you would be entitled to a free version update, but you certainly
>are not -required- to update your software, and you can always do
>one-off purchases of new OS versions; the one-time cost is usually
>no more than 3/4 of the price of a yearly support contract.
>
>:I need to connect a remote branch to our main system using DSL.
>
>No problem then. When your branch office connection goes down
>and everyone is screaming at you to get it back up, you can
>post about the problem on Usenet, and someone will usually answer
>within two or three days. Hardly any questions here go unanswered for
>more than 3 or 5 years, and the revised FAQ is expected to be out
>by 2017 at latest.
>
>
>:I've
>:been recommended a Cisco Pix 605 E for the main office, and a Cisco
>ix 501 for the branch.
>
>:The main office consists of a single Windows 2000 Server with Appox.
>:30 -35 local clients with 15 - 20 networked printers. I'm told the
>:networked printers count for an IP address.
>
>PIX 506E have no inherent limits on the number of internal IP addresses
>they support.
>
>PIX 501's are limited to 10, 50, or unlimited "users". A "user"
>is a host with an active connection to the outside; static IP
>translations do -not- count against the total from boot time until
>there is first traffic to the address, but after that they count
>permanently until the PIX is rebooted.
>
>:How
>:complicated is it to upgrade to 50 users by the way and what's
>:involved?
>
>Trivial. With current software, you log in, enter a single command,
>and reboot to bring the new key into effect.
>
>:Is it something I can do myself as a pc specialist, or does
>:it require a networking expert like my MSCE?
>
>If you can telnet or ssh, then you can easily put in a new key.
>http://www.cisco.com/univercd/cc/td/....htm#wp1037845
>
>
>oes the 605 E offer a lot more security protection
>
>No, the 506E is nearly identical in command set to the 501. See the
>model summary I linked to above.
>
>
>:Currently the branch connects to the server via very expensive 56k
>:dedicated line
>
>:The DSL connection should be much cheaper &
>:faster as a bonus.
>
>DSL connections are almost always less reliable than a dedicated line.
>If the connection is business critical, then you should go
>with an ISP that offers an SLA (Service Level Agreement) with
>an uptime guarantee sufficient for your needs; or you should put in
>a backup link of some sort (through a completely different company
>such as cable), or you should skip DSL and go for a a commercial-grade
>technology.
>
>
>:My sales rep mentioned he has never sold a Pix without the Smartnet
>:service. He described the service as not only technical support, but
>:as a service that sends regular updates to the routers automatically,
>:sometimes several times a day, similar to virus definition updates.
>:Is this being explained correctly?
>
>No!!
>
>The PIX has the ability to autoload new operating system updates,
>but the PIX operating system is usually updated only a few times
>per year.
>
>There is absolutely nothing corresponding to virus definition updates
>for the PIX.
>
>There is also nothing in PIX 6.x (which the 501 and 506E run) that
>would allow the PIX to reach out and pull in an updated configuration
>[e.g., because you had changed the set of locations you wanted to
>permit access to.] The closest to that is that you -can- have
>"downloadable ACLs" that will be copied in from a RADIUS server.
>It's not the same as what you describe.
>
>
>:Are you all subscribing to this
>:service for that reason? Is the Pix kind of worthless without this
>:service?
>
>We update the configuration on our PIXes every few days, but not
>because of deficiencies in the PIX. We are in an environment that
>is -required- to deny connections by default, and so we get requests
>to open the rules up to allow a netmeeting or an electronic journal
>that lives on an obscure port, etc..
>
>
>:I have a MCSE that will help me hook up everything, so hopefully we
>:won't need the Smartnet for the technical support.
>
>: Thanks for any advice
>
>If you are going to "set and forget" the PIXes, allowing a very
>specific set of ports (e.g., outward http on port 80, and so what if
>people start up a filesharing service), then you might be able to
>do without the technical support. But if you anticipate that the
>environment might be a bit more dynamic than that, then my -advice-
>is that you get the support contract for at least the first year.
>It literally takes -years- to learn all the ins and outs of a PIX.
>If your security posture is "hands on" rather than "set and forget"
>then chances are excellent that you'll find something you want answers
>on until you get more accustomed to the PIX.
>
>As you asked for advice, I would also advise you to figure out what
>you are going to do if one of your PIX fries (e.g., brownout)
>or dies, or starts rebooting itself endlessly. What is your plan
>of action in such a case? If the plan is to buy a new one to replace
>the old, then how quickly can your supplier deliver? Do they
>keep stock in the city, or do they have to order them in? Will
>they tell you how long the longest order backlog was within the last
>year? Will your people still be able to work in the meantime?
>How much will you lose for each hour or each day that the device
>is out of action?
>
>
>.S. I posted this message on a less active Cisco forum, and 2 people
>:both agreed the 501s should be fine, and that networked printers with
>:their own IP addresses don't count toward the licenses. Does everyone
>n this forum agree?
>
>As I indicated above, any host that communicates with the outside
>potentially counts against the limit on a PIX 501. The PIX does not
>distinguish between "computers" and "printers". "Communicates with the
>outside" includes over the VPN. If your central site is monitoring the
>printers (e.g., if you are running a print server there, or you have a
>centralized networking monitoring host), or if people sometimes print
>on remote printers [one of our people delivers documents to a remote
>office by printing to the remote printer], or if you run a centralized
>application (e.g., timesheet recording or accounting) that includes a
>"print this page to a local printer" facility, then each addressible
>network printer could potentially be active and counting against the
>10-user license limit.
>
>--
>Studies show that the average reader ignores 106% of all statistics
>they see in .signatures.

In article <>,
Nate Goulet <> wrote:
:I guess the first thing I need to do is run a scan on the network to
:determine exactly how many network devices we have.

:I'm told there are utilities like Super scan for doing this. Can
:anytime tell me exactly how I can do this?

I recommend the program Look@Lan, www.lookatlan.com .
Adding ranges to scan is pretty simple for it -- click on
'scan ranges', click on Add, type in the IP start and finish, click
on OK.

--
Any sufficiently old bug becomes a feature.

In article <d62q3h$kmn$>,
Walter Roberson <> wrote:
:As you asked for advice, I would also advise you to figure out what
:you are going to do if one of your PIX fries (e.g., brownout)
r dies, or starts rebooting itself endlessly. What is your plan
f action in such a case? If the plan is to buy a new one to replace
:the old, then how quickly can your supplier deliver?

Note: to solve this problem, some people buy "hot spares"
(or "cold spares"). If you use the same unit at each of the offices,
you need one cold spare per group of offices that is reachable within
(response time limit minus time it takes to wake someone up
and have them collect the spare and drive to the other office.)

Also, units from the 515 upwards support "failover" to another
inline unit, which can be important if you need the failover to
be automatic (or at least faster than you can get someone trained
out to the other location.) There are noticable increased costs
for PIX failover configurations: it is less expensive to buy
two "restricted" units but then you have to do the cutover manually.


Cisco offers three levels of hardware problem response time: overnight,
4 hour, or 2 hour. The overnight response time on the support
contract that gives you support access 8 hours a day, 5 days a week,
and it's technically "next business day" delivery, not "overnight".
The 4 hour and 2 hour response time contracts are both 24 hours per
day, 7 days a week, including weekends and holiday.

We are on the 4 hour contract for our main PIX, and I have literally
received calls back from Cisco at 01:30 and 03:00 (each within 20
minutes of having entered the case), and those were for questions that
could easily have waited. We haven't ever had reason to call upon the
fast-delivery, so I can't speak from experience as to whether it...
well, "delivers"... but the 24 hour a day response is the real thing.
--
I was very young in those days, but I was also rather dim.
-- Christopher Priest

In article <>,
Nate Goulet <> wrote:
:We've already select a DSL company, and it's problem the only one
:where the branch is, but i'll ask about a SLA (Service Level
:Agreement).

Watch out for the "planned maintenance" on the DSL SLA.

If the DSL company serves only business customers, then it will
probably have an SLA already drawn up. There are a number of
business-only DSL providers who can offer reliable service. Such
companies charge a fair bit for their services: they charge what
it costs them to provide a quality service and to be able to expand
and deploy new equipment at need. Open a case with one of these
companies and you'll soon have a knowledgable technician on the line.


If, however, the DSL company serves the residential market as well,
then the DSL company operates on volume rather than on quality.
Prices might not be high, but reliability won't usually be high
either, even for their business accounts.

A business account from a residential DSL provider gets you to a live
human for problem reports, instead of to an answering machine that was
last updated 3 months ago (which is what the residential customers
get). But you still don't get to talk to the people who know what they
are doing -- not unless you've managed to get past the first two levels
of screening -and- the tech finds your problem interesting enough to call
you directly. It's not -profitable- for a volume provider to have
a real technical person speak to the customers.


Another thing about SLAs: if they are from a company that only
deals with businesses, then they might have some real meaning.
If, though, they are from a company that is volume-centered for
residential accounts, then what you get is not a committment to
really work seriously to -prevent- problems: what you get is a
piece of paper that details the hoops you will have to go through to
claim a pro-rated "no consequential damages" refund for the hours
that you will be down.
--
"This was a Golden Age, a time of high adventure, rich living and
hard dying... but nobody thought so." -- Alfred Bester, TSMD

>
> PIX 7.0(*) is likely to be released sometime this year or very
> early next for the 501 and 506E, and if you had a support contract
> you would be entitled to a free version update, but you certainly
> are not -required- to update your software, and you can always do
> one-off purchases of new OS versions; the one-time cost is usually
> no more than 3/4 of the price of a yearly support contract.
>
I've heard another rumor from an insider at Cisco that the 501 and 506E will
never support 7.x; instead, Cisco will come out with a low-end ASA product
that will replace these two PIXs. It would be nice if Cisco would say one
way or another so that administrators could make the correct purchasing
decisions. I would really like to have some of the 7.x features on a 501 or
506E, but if Cisco isn't going to move to 7.x on these boxes, then I might
not be interested in investing in them anymore, but wait till the small-end
ASA is introduced.

Cheers!

Richard

In article <l7uhe.35366$>,
Richard Deal <rdeal2 @ cfl.rr.com> wrote:
:I've heard another rumor from an insider at Cisco that the 501 and 506E will
:never support 7.x; instead, Cisco will come out with a low-end ASA product
:that will replace these two PIXs.

Interesting. Martin Bilgrav indicated on April 24 that it'd
be Q3 and that he "Heard on Partner Tech update".

:It would be nice if Cisco would say one
:way or another so that administrators could make the correct purchasing
:decisions.

Hear! Hear!

--
Usenet is like a slice of lemon, wrapped around a large gold brick.