«

My home router finally died. It was a Linksys BEFSX41 which supposedly
did SPI, but that model had a terrible reputation for unreliability. I
am wondering if it would be practical for me to pick up a used PIX
501, which seems to have a superb reputation, but there are three
"gotchas" I can think of...

1. I have heard the PIX require licenses -- so might a used unit
refuse to do anything?
2. Is the setup extraordinarily complex? I set up the Linksys and
don't need much, just a basic connection.
3. Do I need a particular 501 with particular options for an ADSL
connection?

Thanks!

Davej <> writes:
>My home router finally died. It was a Linksys BEFSX41 which supposedly
>did SPI, but that model had a terrible reputation for unreliability. I
>am wondering if it would be practical for me to pick up a used PIX
>501, which seems to have a superb reputation, but there are three
>"gotchas" I can think of...

This is the tiny, entry level box of PIX. But at least better
than something like the original 506. My main problems with 501's have
been the power plug wiggling out of them. (happened on multiple ones,
don't know why these seem to have more issues than others).

>1. I have heard the PIX require licenses -- so might a used unit
>refuse to do anything?

The box is licensed with a certain feature license, and as long as the
license is applied and you don't wipe it out, it'll stay there. I
suppose some people might wipe it, but you'll probably get the license
that the box had when it was new. If you happen to get a 10-user license,
its too old to upgrade any longer, you'd be stuck with a 10-user license.
If you get a box without a license, its a boat-anchor, so I suppose
most people wouldn't go to the extraordinary steps of wiping the license.

As I am want to do, I usually push people away from PIXs, even though
this is a Cisco group. I'd look for a used Fortigate 50A or 50B
instead of a 501. Quite well working GUI, just as reliable. No license
hassle, better performance, more features, etc.

>2. Is the setup extraordinarily complex? I set up the Linksys and
>don't need much, just a basic connection.

Do you like command-line configuration? Does configuration like

static (inside,outside) tcp interface www 192.168.1.100 www netmask 255.255.255.255 0 0
access-list inbound permit tcp any any eq www
access-list inbound permit tcp any any eq smtp
access-list inbound permit tcp any any eq domain

scare you?

There is a GUI. I'd state that you'd be pretty hard pressed to find
the magic version of ancient Java on a particular old OS that might
actually be able to run it.

>3. Do I need a particular 501 with particular options for an ADSL
>connection?

As long as your ADSL modem takes care of all the ADSL bits without
anything else, then no. If you need to do something like PPPoE, you'll
need at least 6.2 of the OS to do PPPoE in the PIX. Either way, you'd
still need your ADSL modem in place.

On Jan 11, 4:39*pm, Doug McIntyre <mer...@geeks.org> wrote:
> [...]
> The box is licensed with a certain feature license, and as long as the
> license is applied and you don't wipe it out, it'll stay there.

OK, good.

> As I am want to do, I usually push people away from PIXs, even though
> this is a Cisco group. I'd look for a used Fortigate 50A or 50B
> instead of a 501. Quite well working GUI, just as reliable. No license
> hassle, better performance, more features, etc.

I just want something very reliable. I don't really need much
performance.

> Do you like command-line configuration?

I could get used to it.

> As long as your ADSL modem takes care of all the ADSL bits without
> anything else, then no.

OK, I was worried that a T1 (or whatever) input might be the standard
and would be different from an ADSL input.

Davej <> writes:
>I just want something very reliable. I don't really need much
>performance.

I've had fortigate/Netscreen/Juniper/Cisco uptime all measured in
years. They all just keep going until I need to do a software update
or whatever.

Other kinds that I've had to manage, not so much (ie. Sonicwall, Watchguard).

>> As long as your ADSL modem takes care of all the ADSL bits without
>> anything else, then no.

>OK, I was worried that a T1 (or whatever) input might be the standard
>and would be different from an ADSL input.


Almost all firewalls have ethernet in, ethernet out. As long as your
ADSL box terminates out to ethernet, it should be fine. In general,
there aren't many firewalls with WAN ports like T1, especially not in
a small box like the 501, usually you are paying quite handsomely for
that kind of box.

On Jan 11, 10:50*pm, Doug McIntyre <mer...@geeks.org> wrote:
> Davej <galt...@hotmail.com> writes:
> >I just want something very reliable. I don't really need much
> >performance.
>
> I've had fortigate/Netscreen/Juniper/Cisco uptime all measured in
> years. They all just keep going until I need to do a software update
> or whatever.

Well, a lot of used units I see for sale look like the result of
bankruptcy liquidations. Often they don't even have the power supply.
I would worry that the admin password would be locked.

Davej <> writes:
>On Jan 11, 10:50=A0pm, Doug McIntyre <mer...@geeks.org> wrote:
>> Davej <galt...@hotmail.com> writes:
>> >I just want something very reliable. I don't really need much
>> >performance.
>>
>> I've had fortigate/Netscreen/Juniper/Cisco uptime all measured in
>> years. They all just keep going until I need to do a software update
>> or whatever.

>Well, a lot of used units I see for sale look like the result of
>bankruptcy liquidations. Often they don't even have the power supply.
>I would worry that the admin password would be locked.


Power supply is the bigger issue.

Password recovery on all three vendors I mention above is somewhat easy.

Netscreen/SSG enter the serial # for both username/password on the
console port.

PIX requires you to download the password recovery from CCO (or
somebody you know that has access), and netboot off that image and
it'll wipe the password.

Fortigate is simular to the Netscreen, login on the console port with
'maintainer' & 'bcpb<HW SERIAL NUM>'.
There's one other pattern for older Fortigate, but you can google those.

On Jan 12, 3:00*pm, Doug McIntyre <mer...@geeks.org> wrote:
> Davej <galt...@hotmail.com> writes:
> >On Jan 11, Doug McIntyre <mer...@geeks.org> wrote:
> >> Davej <galt...@hotmail.com> writes:
> >> >I just want something very reliable. I don't really need much
> >> >performance.
>
> >> I've had fortigate/Netscreen/Juniper/Cisco uptime all measured in
> >> years. They all just keep going until I need to do a software update
> >> or whatever.
>
> >Well, a lot of used units I see for sale look like the result of
> >bankruptcy liquidations. Often they don't even have the power supply.
> >I would worry that the admin password would be locked.
>
> Power supply is the bigger issue.
> Password recovery on all three vendors I mention above is somewhat easy.
>

Well, in that case it looks like it would be easy to pick up something
like a Netscreen 5GT for around $60 or less.

Davej <> writes:
>Well, in that case it looks like it would be easy to pick up something
>like a Netscreen 5GT for around $60 or less.

Sure, those boxes worked well, they are everywhere, I still have a few
in production. The GUI is okay, a few browsers choke on it. No new
software updates for them, but that doesn't sound like its a factor in
your plans.

On Jan 13, 11:42*am, Doug McIntyre <mer...@geeks.org> wrote:
> Davej <galt...@hotmail.com> writes:
> >Well, in that case it looks like it would be easy to pick up something
> >like a Netscreen 5GT for around $60 or less.
>
> Sure, those boxes worked well, they are everywhere, I still have a few
> in production. The GUI is okay, a few browsers choke on it. No new
> software updates for them, but that doesn't sound like its a factor in
> your plans.

So, with a unit like that is there anything particularly useful that
can be done with the added flexibility? I mean compared to a simple
unit like my old Linksys?

Davej <> writes:
>On Jan 13, 11:42=A0am, Doug McIntyre <mer...@geeks.org> wrote:
>> Davej <galt...@hotmail.com> writes:
>> >Well, in that case it looks like it would be easy to pick up something
>> >like a Netscreen 5GT for around $60 or less.
>>
>> Sure, those boxes worked well, they are everywhere, I still have a few
>> in production. The GUI is okay, a few browsers choke on it. No new
>> software updates for them, but that doesn't sound like its a factor in
>> your plans.

>So, with a unit like that is there anything particularly useful that
>can be done with the added flexibility? I mean compared to a simple
>unit like my old Linksys?


It depends quite alot on what you want to do. Ie. you have alot more
flexibility, but unless you need it, it'll mainly sit there.

One thing that I find much nicer with this class would be that
protocols like FTP work cleanly without having to do some tricks that
is sometimes needed.

Doing VOIP calls with SIP and H.323 would work that just isn't going
to function well with the Linksys.

And of course, it'll be more stable. I'm sure I have one with uptime
greater than 18-24 months.