Full Disclosure mailing list archives
Re: PIX vs CheckPoint
From: Jim Burwell <jimb () jsbc cc>
Date: Wed, 30 Jun 2004 13:42:18 -0700
Heh. That also suprised me when I started working w/ PIX. The fact you needed some sort of NAT statement to pass traffic regardless whether you were NATing had me shaking my head. Not too suprising I guess, since if I recall, PIXes came from the Cisco aquisition of a company called Network Translation.
PIXes arn't really routers either, like many firewalls. This is evident by the fact that PIXes can't route traffic back out the same interface it received the traffic on. You have to be concious about these limitations when doing network design in the presence of PIXes. For instance, if you want to stand up a small VPN access router on a typical small LAN where the PIX is the default route, the VPN router can't be put in parallel with the PIX unless you either: a) change the LAN's default route to the VPN router (bad if most traffic taking the default route is bound for the internet, it'd just get bounced right to the PIX and put load on your poor little access router). b) put static routes for the appropriate networks on all hosts (yeah right). c) run a dynamic routing protocl on all hosts (not gonna happen). The solution in these situations, aside from buying a new "core" or "choke" router for the network, is to put the inside interface of the VPN access router off of a DMZ interface of a PIX, or spare interface if available. The PIX is perfectly happy to route the traffic to your router as long as it passes through the PIX and exits a different interface. Always seemed kind of silly to me.
- Jim Ben Nelson wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You must have some static's in place then, which is a static 'NAT' translation. Cyril Guibourg wrote: | "Otero, Hernan (EDS)" <HOtero () lanchile cl> writes: | | |>I think you do, because at least a nat 0 it´s needed to get traffic passing |>through the pix. | | | This is odd, I do have a running config under 6.2 without any nat statement. | | _______________________________________________ | Full-Disclosure - We believe in it. | Charter: http://lists.netsys.com/full-disclosure-charter.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA4wsz3cL8qXKvzcwRArrMAJ9Otrq2qHTR4JV2ajPs7bemcR4WwwCcD++K LO+GQKUn4B8NRt8zbCq2GaI= =DTNj -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
-- +---------------------------------------------------------------------------+ | Jim Burwell - Sr. Systems/Network/Security Engineer, JSBC | +---------------------------------------------------------------------------+ | "I never let my schooling get in the way of my education." - Mark Twain | | "UNIX was never designed to keep people from doing stupid things, because | | that policy would also keep them from doing clever things." - Doug Gwyn | | "Cool is only three letters away from Fool" - Mike Muir, Suicyco | | "..Government in its best state is but a necessary evil; in its worst | | state an intolerable one.." - Thomas Paine, "Common Sense" (1776) | +---------------------------------------------------------------------------+ | Email: jimb () jsbc cc ICQ UIN: 1695089 | +---------------------------------------------------------------------------+ | Reply problems ? Turn off the "sign" function in email prog. Blame MS. | +---------------------------------------------------------------------------+ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: PIX vs CheckPoint; IMHO Netscreen is far superior, (continued)
- RE: PIX vs CheckPoint; IMHO Netscreen is far superior Gary E. Miller (Jun 29)
- RE: PIX vs CheckPoint Perrymon, Josh L. (Jun 29)
- RE: PIX vs CheckPoint Otero, Hernan (EDS) (Jun 29)
- Re: PIX vs CheckPoint B3r3n (Jun 29)
- RE: PIX vs CheckPoint Ray P (Jun 29)
- Re: PIX vs CheckPoint Jim Burwell (Jun 30)
- RE: PIX vs CheckPoint Otero, Hernan (EDS) (Jun 30)
- Re: PIX vs CheckPoint Cyril Guibourg (Jun 30)
- Re: PIX vs CheckPoint Ben Nelson (Jun 30)
- Re: PIX vs CheckPoint Cyril Guibourg (Jun 30)
- Re: PIX vs CheckPoint Jim Burwell (Jun 30)
- Re: PIX vs CheckPoint Cyril Guibourg (Jun 30)
- Re: PIX vs CheckPoint Roger Howorth (Jun 30)
- Re: PIX vs CheckPoint B3r3n (Jun 30)
- RE: PIX vs CheckPoint James Patterson Wicks (Jun 30)
- RE: PIX vs CheckPoint Abraham, Antony (Cognizant) (Jun 30)
- RE: PIX vs CheckPoint Perrymon, Josh L. (Jun 30)
- RE: PIX vs CheckPoint Charlie Winckless (Jun 30)