Anyone can confirm that a PIX decrements TTL?
On Sat, Feb 17, 2001 at 11:35:46AM -0500, Howard C. Berkowitz wrote:
>This is a less marketing-speak and more technically driven
>terminology problem than router versus switch, but, again, I fall
>back on there being no such thing as a router. There are L3 route
>determination and L3 packet forwarding functions.
>
>In the case of the PIX, we have what the IETF is loosely calling a
>"midbox". It does not have route determination, but it does have
>packet forwarding. It also has NAT with higher-layer awareness,
>stateful packet screening, etc.
>
>I honestly don't know if the PIX decrements the TTL field when it
>rewrites a packet header. It has to recompute the IP header checksum
>(and, indeed, TCP/UDP checksums) if it is NAT'ing, not just
>inspecting.
>
> From my point of view, I'd like the midbox to decrement TTL, to give
>any chance of a traceroute being meaningful. Of course, if the PIX
>does NAT, a traceroute is useless.
>
>>As someone said yesterday: The PIX will not route, period. It will NAT
>>(including NAT 0), but it will not route packets between different networks.
>>If you need routing off any interface on a PIX, you need a router there.
>>
>>--
>>Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+
>>List email: [EMAIL PROTECTED]
>>Homepage: http://jason.artoo.net/
>>Cisco resources: http://r2cisco.artoo.net/
>>
>>
>>"anthony kim" <[EMAIL PROTECTED]> wrote in message
>>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
>>> A device can best be described by its chief function. You can use a
>>> PIX as a router, just allow everything through. In fact you can use a
>>> router as a firewall, be selective with access lists. Terminology is
>>> flexible as long as you're pragmatic about function.
>>>
>>>
>>> On Fri, Feb 16, 2001 at 10:52:06AM -0800, Dan West wrote:
>>> >PIX - sounds like a router to me - packet forwarding
>>> >based on layer 3 addressing. It has extra security
>>> >features and all of a sudden it's a
>>> >firewall...marketing fluff? or accurate description???
>>> >who will uncover this mystery???? ;>
>>> >
>>> >--- mtieast <[EMAIL PROTECTED]> wrote:
>>> >> I think this comes from the fact that cisco
>>> >> instructors in class say that
>>> >> the Pix is not a router. I have heard this as well
>>> >> when I had the class.
>>> >>
>>> >> I know the Pix is not a router, but does it route?
>>> >> Well, if making decisions
>>> >> about where to send traffic based on layer 3 info is
>>> >> routing then I would
>>> >> argue it does route. It does not forward traffic
>>> >> based on layer 2 info so
>>> >> ......
>>> >>
>>> >> It routes traffic to the appropriate interface. Can
>>> >> someone else shed some
>>> >> light as to why this is said. If it doesn't route
>>> >> the traffic it recieves
>>> >> what does it do?
>>> >>
>>> >>
>>> >>
>>> >> -----Original Message-----
>>> >> From: haroldnjoe <[EMAIL PROTECTED]>
>>> >> Newsgroups: groupstudy.cisco
>>> >> To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
>>> >> Date: Friday, February 16, 2001 12:41 PM
>>> >> Subject: Firewalls and VPNs
>>> >>
>>> >>
>>> >> >I've read here a couple of times that PIX's don't
>>> >> route. Period. In light
>>> >> of
>>> >> >this I'm left a little confused as to a proposed
>>> >> network map I was given
>>> >> >recently.
>>> >> >
>>> >> >The core layer router is a 3640 linking all of our
>>> >> branch offices together.
>>> >> >From the 3640, there is an ethernet connection to a
>>> >> PIX 515R. From the
>>> >> PIX,
>>> >> >there is another ethernet connection to a 1750
>>> >> router. The 1750 connects
>>> >> via
>>> >> >T1 to our ISP. There is yet another ethernet
>>> >> connection from the PIX to
>>> >> the
>>> >> >isolation lan, on which resides an internet
>>> >> mail/web server and a VPN 3000
>>> >> >concentrator.
>>> >> >
>>> >> >If PIX's don't route, what subnet is the isolation
>>> >> lan going to sit on? As
>>> >> >I understand it, the PIX will be providing NAT
>>> >> functionality for the 3640
>>> >> >and everything behind it. So I would assume that
>>> >> the T1 and ethernet
>>> >> >interfaces on the 1750, the outside interfaces on
>>> >> the PIX, and everything
>>> >> in
>>> >> >the isolation lan including the VPN concentrator
>>> >> will have to have public
>> > >> IP
>>> >> >addresses which will be given to us by our ISP.
>>> >> The way the map is layed
>>> >> >out, it looks to me like the isolation lan would
>>> >> have to be on its own
>>> >> >subnet.
>>> >> >
>>> >> >What am I missing? If the PIX doesn't route, do
>>> >> it's ethernet interfaces
>>> >> >reside on the same subnet as the isolation lan? If
>>> >> so, then the ethernet
>>> >> >interface on the 1750 must also be on that subnet,
>>> >> right?
>>> >> >
>>> >> >This is the proposed network map that Cisco's
>>> >> presale engineers gave me.
>>> >> >I'm sure it's a solid design, but I'm still trying
>>> >> to work out the details
>>> >> >so that I understand what I'm implementing (always
>>> >> a good thing, I think).
>>> >> >
>>> >> >Thanks for your time,
>>> >> >
>>> >> >[EMAIL PROTECTED]
>>> >> >
>>> >> >
>>> >> >_________________________________
>>> >> >FAQ, list archives, and subscription info:
>>> >> http://www.groupstudy.com/list/cisco.html
>>> >> >Report misconduct and Nondisclosure violations to
>>> >> [EMAIL PROTECTED]
>>> >> >
>>> >>
>>> >> _________________________________
>>> >> FAQ, list archives, and subscription info:
>>> >> http://www.groupstudy.com/list/cisco.html
>>> >> Report misconduct and Nondisclosure violations to
>>> >[EMAIL PROTECTED]
>>> >
>>> >
>>> >=====
>>> >from The Big Lebowski...
>>> >
>>> >The Dude: You sure he won't mind?
>>> >Bunny: Dieter doesn't care about anything. He's a nihilist.
>>> >The Dude: Ohhh, that must be exhausting...
>>> >
>>> >__________________________________________________
>>> >Do You Yahoo!?
>>> >Get personalized email addresses from Yahoo! Mail - only $35
>>> >a year! http://personal.mail.yahoo.com/
>>> >
>>> >_________________________________
>>> >FAQ, list archives, and subscription info:
>>http://www.groupstudy.com/list/cisco.html
>>> >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>>
>>
>>_________________________________
>>FAQ, list archives, and subscription info:
>>http://www.groupstudy.com/list/cisco.html
>>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
>_________________________________
>FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]