I recollect someone posted requesting info about the PIX 501. Here's my take.
It's pretty decent, depending on what you want to do. A drawback on it, IMO, is the difficulty in getting it to pass GRE traffic. With my GNATBox (and AIUI the Linksys boxes, etc), they pass GRE very transparently. With the PIX though, you need multiple IP addresses (in my experience, and based on the lack of response to alternatives on this list and the TAC) to do it. If you are talking about putting it at people's homes, that could be a problem. The work around that I found acceptable is to treat the home user as a remote office and terminate the VPN at the PIX. A drawback is that any computers in the remote users home could potentially traverse the link... but you can always lock it down with ACLs if you really want to. The PDM is no substitute for the CLI. I could not have configured a working configuration if I didn't know the CLI (and I could stand to know it even better quite frankly). PAT is cool, but has a drawback in my mind - it won't pass FTP inbound traffic unless the FTP client uses PASV. That means no IE and no ftp.exe on MS systems. Granted, any decent FTP client makes this a null issue, and it's a security hole to not use PASV but it is one more difficult aspect to deal with, especially with "stupid users". So my thoughts? If you have the luxury of multiple IP addresses for the outside interface, I think the PIX would make a great solution. If you don't, I think it is still a good solution, but it is going require a better degree of understanding and skillset than working on a Linksys box, etc. BTW, if anyone is keeping track, I got the PIX to connect to the Contivity (obviously), with the help of a gentleman at the TAC. Turned out that the Contivity didn't like AH... and after an education by the TAC person, we should have been just using ESP anyway... Have a good weekend!! Wes Noonan, MCSE/MCT/CCNA/CCDA/NNCSS Senior QA Rep. BMC Software, Inc. (713) 918-2412 [EMAIL PROTECTED] http://www.bmc.com _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
