Re: Firewalls and VPNs

Jason Fri, 16 Feb 2001 20:23:31 -0800
As someone said yesterday: The PIX will not route, period.  It will NAT
(including NAT 0), but it will not route packets between different networks.
If you need routing off any interface on a PIX, you need a router there.

--
Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+
List email: [EMAIL PROTECTED]
Homepage: http://jason.artoo.net/
Cisco resources: http://r2cisco.artoo.net/


"anthony kim" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> A device can best be described by its chief function. You can use a
> PIX as a router, just allow everything through. In fact you can use a
> router as a firewall, be selective with access lists. Terminology is
> flexible as long as you're pragmatic about function.
>
>
> On Fri, Feb 16, 2001 at 10:52:06AM -0800, Dan West wrote:
> >PIX - sounds like a router to me - packet forwarding
> >based on layer 3 addressing. It has extra security
> >features and all of a sudden it's a
> >firewall...marketing fluff? or accurate description???
> >who will uncover this mystery????  ;>
> >
> >--- mtieast <[EMAIL PROTECTED]> wrote:
> >> I think this comes from the fact that cisco
> >> instructors in class say that
> >> the Pix is not a router. I have heard this as well
> >> when I had the class.
> >>
> >> I know the Pix is not a router, but does it route?
> >> Well, if making decisions
> >> about where to send traffic based on layer 3 info is
> >> routing then I would
> >> argue it does route. It does not forward traffic
> >> based on layer 2 info so
> >> ......
> >>
> >> It routes traffic to the appropriate interface. Can
> >> someone else shed some
> >> light as to why this is said. If it doesn't route
> >> the traffic it recieves
> >> what does it do?
> >>
> >>
> >>
> >> -----Original Message-----
> >> From: haroldnjoe <[EMAIL PROTECTED]>
> >> Newsgroups: groupstudy.cisco
> >> To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
> >> Date: Friday, February 16, 2001 12:41 PM
> >> Subject: Firewalls and VPNs
> >>
> >>
> >> >I've read here a couple of times that PIX's don't
> >> route. Period. In light
> >> of
> >> >this I'm left a little confused as to a proposed
> >> network map I was given
> >> >recently.
> >> >
> >> >The core layer router is a 3640 linking all of our
> >> branch offices together.
> >> >From the 3640, there is an ethernet connection to a
> >> PIX 515R.  From the
> >> PIX,
> >> >there is another ethernet connection to a 1750
> >> router. The 1750 connects
> >> via
> >> >T1 to our ISP.  There is yet another ethernet
> >> connection from the PIX to
> >> the
> >> >isolation lan, on which resides an internet
> >> mail/web server and a VPN 3000
> >> >concentrator.
> >> >
> >> >If PIX's don't route, what subnet is the isolation
> >> lan going to sit on?  As
> >> >I understand it, the PIX will be providing NAT
> >> functionality for the 3640
> >> >and everything behind it.  So I would assume that
> >> the T1 and ethernet
> >> >interfaces on the 1750, the outside interfaces on
> >> the PIX, and everything
> >> in
> >> >the isolation lan including the VPN concentrator
> >> will have to have public
> >> IP
> >> >addresses which will be given to us by our ISP.
> >> The way the map is layed
> >> >out, it looks to me like the isolation lan would
> >> have to be on its own
> >> >subnet.
> >> >
> >> >What am I missing?  If the PIX doesn't route, do
> >> it's ethernet interfaces
> >> >reside on the same subnet as the isolation lan?  If
> >> so, then the ethernet
> >> >interface on the 1750 must also be on that subnet,
> >> right?
> >> >
> >> >This is the proposed network map that Cisco's
> >> presale engineers gave me.
> >> >I'm sure it's a solid design, but I'm still trying
> >> to work out the details
> >> >so that I understand what I'm implementing (always
> >> a good thing, I think).
> >> >
> >> >Thanks for your time,
> >> >
> >> >[EMAIL PROTECTED]
> >> >
> >> >
> >> >_________________________________
> >> >FAQ, list archives, and subscription info:
> >> http://www.groupstudy.com/list/cisco.html
> >> >Report misconduct and Nondisclosure violations to
> >> [EMAIL PROTECTED]
> >> >
> >>
> >> _________________________________
> >> FAQ, list archives, and subscription info:
> >> http://www.groupstudy.com/list/cisco.html
> >> Report misconduct and Nondisclosure violations to
> >[EMAIL PROTECTED]
> >
> >
> >=====
> >from The Big Lebowski...
> >
> >The Dude: You sure he won't mind?
> >Bunny: Dieter doesn't care about anything. He's a nihilist.
> >The Dude: Ohhh, that must be exhausting...
> >
> >__________________________________________________
> >Do You Yahoo!?
> >Get personalized email addresses from Yahoo! Mail - only $35
> >a year!  http://personal.mail.yahoo.com/
> >
> >_________________________________
> >FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]


_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Firewalls and VPNs

Reply via email to
