Re: Firewalls and VPNs

Scott M. Trieste Tue, 20 Feb 2001 15:32:02 -0800
What are you talking about?

A PIX is nothing more than a router with ONLY Ethernet interfaces.  You mean
to tell me that
the "route (interface) dest address, dest mask, next hop, metric" command
doesn't actually route?

Just my $.02.

-Scott

""Jason"" <[EMAIL PROTECTED]> wrote in message
96l2j0$uh4$[EMAIL PROTECTED]">news:96l2j0$uh4$[EMAIL PROTECTED]...
> As someone said yesterday: The PIX will not route, period.  It will NAT
> (including NAT 0), but it will not route packets between different
networks.
> If you need routing off any interface on a PIX, you need a router there.
>
> --
> Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+
> List email: [EMAIL PROTECTED]
> Homepage: http://jason.artoo.net/
> Cisco resources: http://r2cisco.artoo.net/
>
>
> "anthony kim" <[EMAIL PROTECTED]> wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > A device can best be described by its chief function. You can use a
> > PIX as a router, just allow everything through. In fact you can use a
> > router as a firewall, be selective with access lists. Terminology is
> > flexible as long as you're pragmatic about function.
> >
> >
> > On Fri, Feb 16, 2001 at 10:52:06AM -0800, Dan West wrote:
> > >PIX - sounds like a router to me - packet forwarding
> > >based on layer 3 addressing. It has extra security
> > >features and all of a sudden it's a
> > >firewall...marketing fluff? or accurate description???
> > >who will uncover this mystery????  ;>
> > >
> > >--- mtieast <[EMAIL PROTECTED]> wrote:
> > >> I think this comes from the fact that cisco
> > >> instructors in class say that
> > >> the Pix is not a router. I have heard this as well
> > >> when I had the class.
> > >>
> > >> I know the Pix is not a router, but does it route?
> > >> Well, if making decisions
> > >> about where to send traffic based on layer 3 info is
> > >> routing then I would
> > >> argue it does route. It does not forward traffic
> > >> based on layer 2 info so
> > >> ......
> > >>
> > >> It routes traffic to the appropriate interface. Can
> > >> someone else shed some
> > >> light as to why this is said. If it doesn't route
> > >> the traffic it recieves
> > >> what does it do?
> > >>
> > >>
> > >>
> > >> -----Original Message-----
> > >> From: haroldnjoe <[EMAIL PROTECTED]>
> > >> Newsgroups: groupstudy.cisco
> > >> To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
> > >> Date: Friday, February 16, 2001 12:41 PM
> > >> Subject: Firewalls and VPNs
> > >>
> > >>
> > >> >I've read here a couple of times that PIX's don't
> > >> route. Period. In light
> > >> of
> > >> >this I'm left a little confused as to a proposed
> > >> network map I was given
> > >> >recently.
> > >> >
> > >> >The core layer router is a 3640 linking all of our
> > >> branch offices together.
> > >> >From the 3640, there is an ethernet connection to a
> > >> PIX 515R.  From the
> > >> PIX,
> > >> >there is another ethernet connection to a 1750
> > >> router. The 1750 connects
> > >> via
> > >> >T1 to our ISP.  There is yet another ethernet
> > >> connection from the PIX to
> > >> the
> > >> >isolation lan, on which resides an internet
> > >> mail/web server and a VPN 3000
> > >> >concentrator.
> > >> >
> > >> >If PIX's don't route, what subnet is the isolation
> > >> lan going to sit on?  As
> > >> >I understand it, the PIX will be providing NAT
> > >> functionality for the 3640
> > >> >and everything behind it.  So I would assume that
> > >> the T1 and ethernet
> > >> >interfaces on the 1750, the outside interfaces on
> > >> the PIX, and everything
> > >> in
> > >> >the isolation lan including the VPN concentrator
> > >> will have to have public
> > >> IP
> > >> >addresses which will be given to us by our ISP.
> > >> The way the map is layed
> > >> >out, it looks to me like the isolation lan would
> > >> have to be on its own
> > >> >subnet.
> > >> >
> > >> >What am I missing?  If the PIX doesn't route, do
> > >> it's ethernet interfaces
> > >> >reside on the same subnet as the isolation lan?  If
> > >> so, then the ethernet
> > >> >interface on the 1750 must also be on that subnet,
> > >> right?
> > >> >
> > >> >This is the proposed network map that Cisco's
> > >> presale engineers gave me.
> > >> >I'm sure it's a solid design, but I'm still trying
> > >> to work out the details
> > >> >so that I understand what I'm implementing (always
> > >> a good thing, I think).
> > >> >
> > >> >Thanks for your time,
> > >> >
> > >> >[EMAIL PROTECTED]
> > >> >
> > >> >
> > >> >_________________________________
> > >> >FAQ, list archives, and subscription info:
> > >> http://www.groupstudy.com/list/cisco.html
> > >> >Report misconduct and Nondisclosure violations to
> > >> [EMAIL PROTECTED]
> > >> >
> > >>
> > >> _________________________________
> > >> FAQ, list archives, and subscription info:
> > >> http://www.groupstudy.com/list/cisco.html
> > >> Report misconduct and Nondisclosure violations to
> > >[EMAIL PROTECTED]
> > >
> > >
> > >=====
> > >from The Big Lebowski...
> > >
> > >The Dude: You sure he won't mind?
> > >Bunny: Dieter doesn't care about anything. He's a nihilist.
> > >The Dude: Ohhh, that must be exhausting...
> > >
> > >__________________________________________________
> > >Do You Yahoo!?
> > >Get personalized email addresses from Yahoo! Mail - only $35
> > >a year!  http://personal.mail.yahoo.com/
> > >
> > >_________________________________
> > >FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
>
> _________________________________
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>


_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Firewalls and VPNs

Reply via email to
