[c-nsp] Telnet FROM a PIX Appliance?

[Vinny Abello]

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Peder @ NetworkOblivion
> Sent: Friday, July 04, 2008 8:28 AM
> To: cisco-nsp at puck.nether.net >> Cisco-NSP Mailing List
> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?
>
> What!?  The original PIX code was < 500k as the first versions from
> Network Translations only had 512k flash moodules in them.  There is no
> way that it was based on Windows, not even 3.1.  I think you are
> thinking of the Centri (or whatever it was called) that was windows
> based that they bought many years ago.  I actually worked at Cisco when
> they bought the PIX and the Centri and then they killed the Centri
> shortly thereafter.  I think the Centri ran on Windows 95, but I am not
> 100% sure as that was 10+ years ago.
>
> IMO, the reason that so many people use(d) the PIX is that they just
> work.  You set it up and forget it for two years.  You rarely even need
> to update the software on it as there are so few bugs that are show
> stoppers.  Now, the ASA is a different story.  There is a lot more
> stuff
> in it and hence a lot more bugs.

I definitely agree with the "just work" statement, but there are some issues we've run into with the PIX that don't exist on the ASA.

We use hundreds of Cisco PIX and ASA devices for our customers. In our experience, the ASA is far superior in features and verbosity of information it presents to you and flexibility. I think we had one customer hit by a show stopper bug that was a memory leak in the ASA which was triggered by a lot of web traffic. I think that was fixed in 7.2.3. We actually experienced quite a large show stopper bug on the PIX 6.3.5 code which still exists causing the PIX to crash. It was related to a large number of VPN connections changing state if I recall. We had to get an interim build from Cisco of 6.3.5.xxx to fix this. We mainly run 7.2.4 and 8.0.3 on the ASA (8.0.3 if we want AnyConnect). They work pretty well, although I'm leery of 8.x code still and noticed the ASA 5505 on 8.0.3 has an unusually high CPU load when doing nothing.

Whenever I assist someone with troubleshooting a VPN issue or something else on a Cisco security device, my first question is if we're working with a PIX or ASA... If it's a PIX my usual response is ugh... If it's ASA I cheer in my head. :) The ASA is much easier to troubleshoot and is more predictable and IOS like. PIX 6.3.5 also has an issue sometimes with creating new VPN tunnels and the access-list you create not being recognized resulting in ACL deny messages in debug. Workarounds include reapplying the crypto map (not recommended as it's disruptive), rebooting, or a trick we found by adding an additional line to the access list then removing it. Odd, I know but it works every time. I think it actually is a result of the order all the commands are entered but I never tracked it down specifically. The ASA doesn't appear to have this glitch.

Also, minus the added hardware in the ASA which handles things like SSL VPN's and the other optional hardware options, you can run the same code (not image, but code) on the PIX 515 and higher models that the ASA devices run (7.x and 8.x), providing you have enough memory. So when saying ASA above I'm also referring to the PIX on 7.x or 8.x code.

When it comes down to it, they're all just little PC's with flash for the OS, Intel NICs and Intel processors. The modern ones are anyway... I know the older PIX models really resembled a PC having a floppy drive for recovery purposes and everything. I never worked much with those, however.

-Vinny