Firewall Wizards mailing list archives
RE: Skip the PDM
From: "Sloane, David" <DSloane () vfa com>
Date: Thu, 20 Nov 2003 11:36:52 -0500
Robert, Thanks for the informative post. I think many of us still use commercial firewalls for a variety of reasons. I'm most familiar with PIX and CheckPoint and the PIX 501 is a real contender as a firewall to be shipped out to my company's remote SOHO users. This post confirms my general perception about Cisco vs. (specialized vendor). Cisco makes decent hardware, very good routing software, and barely-tolerable management tools. If you want good gui management tools, you're better off with Checkpoint. Many people don't have time/staff/etc. to become experts in roll-your-own firewall technologies (despite their appealing qualities) and this kind of personal account can be quite helpful. -David -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Robert Fenerty Sent: November 19, 2003 7:42 PM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Skip the PDM Hi, Although I sense that many subscribers to this list are the of the ipchains/linux ilk, I thought I'd tell you about my experience configuring a PIX 501 at a client's site. A pretty standard setup, which took me THREE AND A HALF HOURS to install. I think we can all agree that I'm not a firewall wizard. Maybe an apprentice to the guy who mixes the mortar for the firewall. The PIX Device Manager (PDM) is a GUI-based app that runs as a web server on the PIX 501. The 501's a tiny SOHO box with a Command-Line Interface (CLI) fairly similar to those found on Cisco routers. The differences tripped me up a bit; like grep options on HP-UX if you were raised on Sun. So to "speed things up" I tried using the PDM. Bad idea. In my network design, the office network uses the 172.16.x.y network to avoid any routing problems that might arise when remote workers with 192.168.x.y home networks connect to the office via software VPN. So I tell the GUI that the "inside" interface is 172.16.1.1, and the DHCP pool starts at .2. Specify the gateway, DNS, etc. and you're done. Right? Wrong. I'm guessing that the PDM just collects command lines and sends them to the PIX. The first error pops up when "ip address inside 172.16.1.1 255.255.0.0" conflicts with the factory default DHCP pool, which starts at 192.168.1.2. So the interface IP isn't changed. And the request to change the DHCP pool doesn't match the still-unchanged factory IP address, so that's ignored too. At least the PDM pops up error messages, and it was pretty obvious to me what was going on. So I fixed it manually. But the client paid $500 for this box. And a $100 Linksys or SMC box wouldn't have had this problem. You'd think Cisco could do better. Then the DHCP server on the PIX wouldn't vend IP addresses. No sniffer handy, so I tried various debug options on the PIX. Finally got an error message from the DHCPD saying that DHCP wasn't enabled. This was odd, considering that "dhcp enable inside" and other dhcp settings were in place. I don't know what I did to kick start it, but it eventually started lending everyone IP addresses from its stingy pool of 32 DHCP leases. It was pretty easy to setup the rest of it. Anyway, the point of this message was to say that the PDM is a rotten little piece of software that only confuses things. So skip the PDM. Robert Fenerty _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Skip the PDM Robert Fenerty (Nov 20)
- Re: Skip the PDM Victor B. Williams (Nov 23)
- <Possible follow-ups>
- RE: Skip the PDM Crissup, John (MBNP is) (Nov 23)
- RE: Skip the PDM Sloane, David (Nov 23)
- RE: Skip the PDM Wes Noonan (Nov 24)
- RE: Skip the PDM Karl D. Mueller (Nov 23)