Actually that's not quite true. While most, if not all, commercial FW's support NAT, there are some notable FW software sets that are pretty strictly proxy based. The FW toolkit comes to mind for one. (FWTK) This is the code that the Guantlet firewall is based on. There are also FW's that support NAT but also support true proxies such as Gauntlet and Raptor. The PIX can _only_ do NAT, it has no proxy functionality. (what they call a cut-through proxy is a "proxy" only from an authentication perspective)
I think the point of the NAT comment though was that the PIX is very limited in its routing ability and generally will only function for packets to come in one interface and go out another, as opposed to other FW's which can support more advanced IP forwarding. (such as one-armed routing/filtering) Regards, Kent -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Patrick Ramsey Sent: Tuesday, December 04, 2001 12:08 PM To: [EMAIL PROTECTED] Subject: RE: PIX [7:28083] Isn't that what all firewalls do? Static translation from the outside to the inside with various rules. aside from protocol analysing, I would say all firewalls are nat boxes. -Patrick >>> "Kevin Welch" 12/04/01 01:46PM >>> That is very correct. The pix is more a NAT box than anything (sorry if this offends anyone). -- Kevin Welch -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Michael J. Doherty Sent: Tuesday, December 04, 2001 12:33 PM To: [EMAIL PROTECTED] Subject: Re: PIX [7:28083] The PIX has limited routing capabilities (in order to allow packets through the firewall). It cannot route packets out the same interface that it arrived on. If it does not have a route to a host on another interface, it will drop the packet. (my understanding, anyway, feel free to correct an inaccuracies). Mike ----- Original Message ----- From: "BASSOLE Rock" To: Sent: Tuesday, December 04, 2001 12:03 Subject: PIX [7:28083] > Hi group, > > > I'am using a PIX with 2 interfaces (inside and outside). > > -Security level for the inside interface is 100. > -Security level for the outside interface is 0. > > Is it possible to use the PIX to route a specific host installed on the > outside interface towards another subnet (still on the outside interface)? > > Will the packet be droped because the host is on the outside interface? > > Regards, > > Rock BASSOLE > Til: +33 (0) 1 45 96 22 03 _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=28127&t=28083 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
