This is a less marketing-speak and more technically driven
terminology problem than router versus switch, but, again, I fall
back on there being no such thing as a router. There are L3 route
determination and L3 packet forwarding functions.
In the case of the PIX, we have what the IETF is loosely calling a
"midbox". It does not have route determination, but it does have
packet forwarding. It also has NAT with higher-layer awareness,
stateful packet screening, etc.
I honestly don't know if the PIX decrements the TTL field when it
rewrites a packet header. It has to recompute the IP header checksum
(and, indeed, TCP/UDP checksums) if it is NAT'ing, not just
inspecting.
From my point of view, I'd like the midbox to decrement TTL, to give
any chance of a traceroute being meaningful. Of course, if the PIX
does NAT, a traceroute is useless.
>As someone said yesterday: The PIX will not route, period. It will NAT
>(including NAT 0), but it will not route packets between different networks.
>If you need routing off any interface on a PIX, you need a router there.
>
>--
>Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+
>List email: [EMAIL PROTECTED]
>Homepage: http://jason.artoo.net/
>Cisco resources: http://r2cisco.artoo.net/
>
>
>"anthony kim" <[EMAIL PROTECTED]> wrote in message
>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
>> A device can best be described by its chief function. You can use a
>> PIX as a router, just allow everything through. In fact you can use a
>> router as a firewall, be selective with access lists. Terminology is
>> flexible as long as you're pragmatic about function.
>>
>>
>> On Fri, Feb 16, 2001 at 10:52:06AM -0800, Dan West wrote:
>> >PIX - sounds like a router to me - packet forwarding
>> >based on layer 3 addressing. It has extra security
>> >features and all of a sudden it's a
>> >firewall...marketing fluff? or accurate description???
>> >who will uncover this mystery???? ;>
>> >
>> >--- mtieast <[EMAIL PROTECTED]> wrote:
>> >> I think this comes from the fact that cisco
>> >> instructors in class say that
>> >> the Pix is not a router. I have heard this as well
>> >> when I had the class.
>> >>
>> >> I know the Pix is not a router, but does it route?
>> >> Well, if making decisions
>> >> about where to send traffic based on layer 3 info is
>> >> routing then I would
>> >> argue it does route. It does not forward traffic
>> >> based on layer 2 info so
>> >> ......
>> >>
>> >> It routes traffic to the appropriate interface. Can
>> >> someone else shed some
>> >> light as to why this is said. If it doesn't route
>> >> the traffic it recieves
>> >> what does it do?
>> >>
>> >>
>> >>
>> >> -----Original Message-----
>> >> From: haroldnjoe <[EMAIL PROTECTED]>
>> >> Newsgroups: groupstudy.cisco
>> >> To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
>> >> Date: Friday, February 16, 2001 12:41 PM
>> >> Subject: Firewalls and VPNs
>> >>
>> >>
>> >> >I've read here a couple of times that PIX's don't
>> >> route. Period. In light
>> >> of
>> >> >this I'm left a little confused as to a proposed
>> >> network map I was given
>> >> >recently.
>> >> >
>> >> >The core layer router is a 3640 linking all of our
>> >> branch offices together.
>> >> >From the 3640, there is an ethernet connection to a
>> >> PIX 515R. From the
>> >> PIX,
>> >> >there is another ethernet connection to a 1750
>> >> router. The 1750 connects
>> >> via
>> >> >T1 to our ISP. There is yet another ethernet
>> >> connection from the PIX to
>> >> the
>> >> >isolation lan, on which resides an internet
>> >> mail/web server and a VPN 3000
>> >> >concentrator.
>> >> >
>> >> >If PIX's don't route, what subnet is the isolation
>> >> lan going to sit on? As
>> >> >I understand it, the PIX will be providing NAT
>> >> functionality for the 3640
>> >> >and everything behind it. So I would assume that
>> >> the T1 and ethernet
>> >> >interfaces on the 1750, the outside interfaces on
>> >> the PIX, and everything
>> >> in
>> >> >the isolation lan including the VPN concentrator
>> >> will have to have public
> > >> IP
>> >> >addresses which will be given to us by our ISP.
>> >> The way the map is layed
>> >> >out, it looks to me like the isolation lan would
>> >> have to be on its own
>> >> >subnet.
>> >> >
>> >> >What am I missing? If the PIX doesn't route, do
>> >> it's ethernet interfaces
>> >> >reside on the same subnet as the isolation lan? If
>> >> so, then the ethernet
>> >> >interface on the 1750 must also be on that subnet,
>> >> right?
>> >> >
>> >> >This is the proposed network map that Cisco's
>> >> presale engineers gave me.
>> >> >I'm sure it's a solid design, but I'm still trying
>> >> to work out the details
>> >> >so that I understand what I'm implementing (always
>> >> a good thing, I think).
>> >> >
>> >> >Thanks for your time,
>> >> >
>> >> >[EMAIL PROTECTED]
>> >> >
>> >> >
>> >> >_________________________________
>> >> >FAQ, list archives, and subscription info:
>> >> http://www.groupstudy.com/list/cisco.html
>> >> >Report misconduct and Nondisclosure violations to
>> >> [EMAIL PROTECTED]
>> >> >
>> >>
>> >> _________________________________
>> >> FAQ, list archives, and subscription info:
>> >> http://www.groupstudy.com/list/cisco.html
>> >> Report misconduct and Nondisclosure violations to
>> >[EMAIL PROTECTED]
>> >
>> >
>> >=====
>> >from The Big Lebowski...
>> >
>> >The Dude: You sure he won't mind?
>> >Bunny: Dieter doesn't care about anything. He's a nihilist.
>> >The Dude: Ohhh, that must be exhausting...
>> >
>> >__________________________________________________
>> >Do You Yahoo!?
>> >Get personalized email addresses from Yahoo! Mail - only $35
>> >a year! http://personal.mail.yahoo.com/
>> >
>> >_________________________________
>> >FAQ, list archives, and subscription info:
>http://www.groupstudy.com/list/cisco.html
>> >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
>
>_________________________________
>FAQ, list archives, and subscription info:
>http://www.groupstudy.com/list/cisco.html
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
