At 10:40 PM 2/17/2001 -0800, Yonkerbonk wrote:
>Is there any good reason why the PIX doesn't route?
>Why it doesn't run OSPF? A Checkpoint firewall running
>on a Solaris box would be able to run OSPF or
>something, right? Why not a PIX?
>
>Michael
Personally, I think it's a good idea not to have a firewall running routing
protocols. Having to configure the routing and the security separately
is a doublecheck against possible security leaks
>--- anthony kim <[EMAIL PROTECTED]> wrote:
> > Does your pix have a default route?
> > Does your pix forward packets between subnets?
> > Logically, then, the pix routes. Call it what you
> > will, when forwarding
> > between disparate networks, you route. I suppose
> > cisco misunderstands the
> > term "route" too.
> >
> >
>http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v42/pix42cfg/pix42apa.htm#xtocid88422
> >
> > Here's from Cisco:
> >
> > route Command
> >
> > The following are the extensions to the route
> > command:
> >
> > The routing table has been improved to let you
> > specify the IP address
> > of a PIX Firewall interface in the route command. If
> > the route
> > command statement uses the IP address from one
> > of the PIX Firewall
> > unit's interfaces as the gateway IP address, PIX
> > Firewall will
> > ARP for the destination IP address in the
> > packet instead of ARPing
> > for the gateway IP address.
> >
> > PIX Firewall also does not accept duplicate
> > routes with different
> > metrics for the same gateway.
> >
> > In version 5.1(1), the CONNECT route entry is
> > supported. (This
> > identifier appears when you use the show route
> > command.) The
> > CONNECT identifier is assigned to an
> > interface's local network and
> > the interface IP address, which is in the IP local
> > subnet. PIX
> > Firewall will use ARP for the destination
> > address. The CONNECT
> > identifier cannot be removed, but changes when you
> > change the
> > IP address on the interface.
> >
> > You can now enter duplicate route command
> > statements with different
> > gateways and metrics.
> >
> > You can now enter static route command
> > statements with virtual
> > subnets; for example:
> >
> > route outside 10.2.2.8 255.255.255.248 192.168.1.3
> > route outside 10.2.2.8 255.255.255.255 192.168.1.1
> >
> > --- Jason <[EMAIL PROTECTED]> wrote:
> > > As someone said yesterday: The PIX will not route,
> > period. It will NAT
> > > (including NAT 0), but it will not route packets
> > between different
> > > networks.
> > > If you need routing off any interface on a PIX,
> > you need a router there.
> > >
> > > --
> > > Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA,
> > Network+, A+
> > > List email: [EMAIL PROTECTED]
> > > Homepage: http://jason.artoo.net/
> > > Cisco resources: http://r2cisco.artoo.net/
> > >
> > >
> > > "anthony kim" <[EMAIL PROTECTED]> wrote in
> > message
> > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > > A device can best be described by its chief
> > function. You can use a
> > > > PIX as a router, just allow everything through.
> > In fact you can use a
> > > > router as a firewall, be selective with access
> > lists. Terminology is
> > > > flexible as long as you're pragmatic about
> > function.
> > > >
> > > >
> > > > On Fri, Feb 16, 2001 at 10:52:06AM -0800, Dan
> > West wrote:
> > > > >PIX - sounds like a router to me - packet
> > forwarding
> > > > >based on layer 3 addressing. It has extra
> > security
> > > > >features and all of a sudden it's a
> > > > >firewall...marketing fluff? or accurate
> > description???
> > > > >who will uncover this mystery???? ;>
> > > > >
> > > > >--- mtieast <[EMAIL PROTECTED]> wrote:
> > > > >> I think this comes from the fact that cisco
> > > > >> instructors in class say that
> > > > >> the Pix is not a router. I have heard this as
> > well
> > > > >> when I had the class.
> > > > >>
> > > > >> I know the Pix is not a router, but does it
> > route?
> > > > >> Well, if making decisions
> > > > >> about where to send traffic based on layer 3
> > info is
> > > > >> routing then I would
> > > > >> argue it does route. It does not forward
> > traffic
> > > > >> based on layer 2 info so
> > > > >> ......
> > > > >>
> > > > >> It routes traffic to the appropriate
> > interface. Can
> > > > >> someone else shed some
> > > > >> light as to why this is said. If it doesn't
> > route
> > > > >> the traffic it recieves
> > > > >> what does it do?
> > > > >>
> > > > >>
> > > > >>
> > > > >> -----Original Message-----
> > > > >> From: haroldnjoe <[EMAIL PROTECTED]>
> > > > >> Newsgroups: groupstudy.cisco
> > > > >> To: [EMAIL PROTECTED]
> > <[EMAIL PROTECTED]>
> > > > >> Date: Friday, February 16, 2001 12:41 PM
> > > > >> Subject: Firewalls and VPNs
> > > > >>
> > > > >>
> > > > >> >I've read here a couple of times that PIX's
> > don't
> > > > >> route. Period. In light
> > > > >> of
> > > > >> >this I'm left a little confused as to a
> > proposed
> > > > >> network map I was given
> > > > >> >recently.
> > > > >> >
> > > > >> >The core layer router is a 3640 linking all
> > of our
> > > > >> branch offices together.
> > > > >> >From the 3640, there is an ethernet
> > connection to a
> > > > >> PIX 515R. From the
> > > > >> PIX,
> > > > >> >there is another ethernet connection to a
> > 1750
> > > > >> router. The 1750 connects
> > > > >> via
> > > > >> >T1 to our ISP. There is yet another
> > ethernet
> > > > >> connection from the PIX to
> > > > >> the
> > > > >> >isolation lan, on which resides an internet
> > > > >> mail/web server and a VPN 3000
> > > > >> >concentrator.
> > > > >> >
> > > > >> >If PIX's don't route, what subnet is the
> > isolation
> > > > >> lan going to sit on? As
> > > > >> >I understand it, the PIX will be providing
> > NAT
> > > > >> functionality for the 3640
> > > > >> >and everything behind it. So I would assume
> > that
> > > > >> the T1 and ethernet
> > > > >> >interfaces on the 1750, the outside
> > interfaces on
> > > > >> the PIX, and everything
> > > > >> in
> > > > >> >the isolation lan including the VPN
> > concentrator
> > > > >> will have to have public
> > > > >> IP
> > > > >> >addresses which will be given to us by our
> > ISP.
> > > > >> The way the map is layed
> > > > >> >out, it looks to me like the isolation lan
> > would
> > > > >> have to be on its own
> > > > >> >subnet.
> > > > >> >
> > > > >> >What am I missing? If the PIX doesn't
> > route, do
> > > > >> it's ethernet interfaces
> > > > >> >reside on the same subnet as the isolation
> > lan? If
> > > > >> so, then the ethernet
> > > > >> >interface on the 1750 must also be on that
> > subnet,
> > > > >> right?
> > > > >> >
> > > > >> >This is the proposed network map that
> > Cisco's
> >
>=== message truncated ===
>
>
>__________________________________________________
>Do You Yahoo!?
>Get personalized email addresses from Yahoo! Mail - only $35
>a year! http://personal.mail.yahoo.com/
>
>_________________________________
>FAQ, list archives, and subscription info:
>http://www.groupstudy.com/list/cisco.html
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
