RE: [fw-wiz] Skip the PDM

From: Crissup, John (MBNP is) (
Date: 11/20/03

  • Next message: Sloane, David: "RE: [fw-wiz] Skip the PDM"
    Date: Thu, 20 Nov 2003 09:43:55 -0600

      I agree with your thoughts about the PDM. You are correct, in that the
    PDM simply converts the various settings to character based commands and
    enters them into the PIX. In fact, you can even review the command lines
    before you apply them.

      As for myself, I played with the PDM for about three days when I first
    installed our two model 520 PIXes. I quickly abandoned that idea for the
    command line instead. Of course, I'm an old DOS guy who really can't stand
    graphical interfaces anyway. I've always believed graphical interfaces are
    for monkeys who want to claim to be admins without having to learn how to
    actually administer the device. ;-)

    -----Original Message-----
    From: Robert Fenerty []
    Sent: Wednesday, November 19, 2003 6:42 PM
    Subject: [fw-wiz] Skip the PDM
    Although I sense that many subscribers to this list are the of the
    ipchains/linux ilk, I thought I'd tell you about my experience
    configuring a  PIX 501 at a client's site.  A pretty standard setup,
    which took me THREE AND A HALF HOURS to install.  I think we can all
    agree that I'm not a firewall wizard.  Maybe an apprentice to the guy
    who mixes the mortar for the firewall.
    The PIX Device Manager (PDM) is a GUI-based app that runs as a web
    server on the PIX 501.  The 501's a tiny SOHO box with a Command-Line
    Interface (CLI) fairly similar to those found on Cisco routers.  The
    differences tripped me up a bit; like grep options on HP-UX if you were
    raised on Sun.
    So to "speed things up" I tried using the PDM.  Bad idea.  In my network
    design, the office network uses the 172.16.x.y network to avoid any
    routing problems that might arise when remote workers with 192.168.x.y
    home networks connect to the office via software VPN.
    So I tell the GUI that the "inside" interface is, and the
    DHCP pool starts at .2.  Specify the gateway, DNS, etc. and you're done.
    Right?  Wrong.  I'm guessing that the PDM just collects command lines
    and sends them to the PIX.
    The first error pops up when "ip address inside"
    conflicts with the factory default DHCP pool, which starts at  So the interface IP isn't changed.  And the request to
    change the DHCP pool doesn't match the still-unchanged factory IP
    address, so that's ignored too. At least the PDM pops up error messages,
    and it was pretty obvious to me what was going on.  So I fixed it
    But the client paid $500 for this box.  And a $100 Linksys or SMC box
    wouldn't have had this problem.  You'd think Cisco could do better.
    Then the DHCP server on the PIX wouldn't vend IP addresses.  No sniffer
    handy, so I tried various debug options on the PIX.  Finally got an
    error message from the DHCPD saying that DHCP wasn't enabled.  This was
    odd, considering that "dhcp enable inside" and other dhcp settings were
    in place.  I don't know what I did to kick start it, but it eventually
    started lending everyone IP addresses from its stingy pool of 32 DHCP
    leases.  It was pretty easy to setup the rest of it.
    Anyway, the point of this message was to say that the PDM is a rotten
    little piece of software that only confuses things.  So skip the PDM.
    Robert Fenerty
    firewall-wizards mailing list
    This email is confidential and intended solely for the use of
    the individual or organization to whom it is addressed. Any
    opinions or advice presented are solely those of the author
    and do not necessarily represent those of the Millward Brown
    Group of Companies.  DO NOT copy, modify, distribute or
    take any action in reliance on this email if you are not the
    intended recipient.  If you have received this email in error
    please notify the sender and delete this email from your system.
    Although this email has been checked for viruses and other
    defects, no responsibility can be accepted for any loss or
    damage arising from its receipt or use.
    firewall-wizards mailing list

  • Next message: Sloane, David: "RE: [fw-wiz] Skip the PDM"