RE: [fw-wiz] Skip the PDM
From: Karl D. Mueller (karlm_at_acshelp.com)
To: "Robert Fenerty" <email@example.com>, <firstname.lastname@example.org> Date: Thu, 20 Nov 2003 12:40:58 -0500
I suspect that most people who buy PIX firewalls wouldn't use PDM to
begin with. Most newer IOS's for their routers have an ip http server
built-in (which is thankfully disabled by default). Cisco is not good at
adding web interfaces to their devices, so we'll just leave it at that
The major problem I've had with gui interfaces is keeping consistant
configs across a network and updating/creating configs for large numbers
of devices. Although netscreen has a nifty copy and paste CLI config
updater built in to it's web gui (but you can admin screenOS through a
CLI as well).
I don't consider the PIX a consumer-grade (plug-n-play) product anyway,
so I'd never suggest it to anyone who isn't at least familiar with
configuring cisco routers and knows some firewall theory.
Karl Mueller CCNP
Office - 703 369 9800
Mobile - 703 946 6638
From: Robert Fenerty [mailto:email@example.com]
Sent: Wednesday, November 19, 2003 7:42 PM
Subject: [fw-wiz] Skip the PDM
Although I sense that many subscribers to this list are the of the
ipchains/linux ilk, I thought I'd tell you about my experience
configuring a PIX 501 at a client's site. A pretty standard setup,
which took me THREE AND A HALF HOURS to install. I think we can all
agree that I'm not a firewall wizard. Maybe an apprentice to the guy
who mixes the mortar for the firewall.
The PIX Device Manager (PDM) is a GUI-based app that runs as a web
server on the PIX 501. The 501's a tiny SOHO box with a Command-Line
Interface (CLI) fairly similar to those found on Cisco routers. The
differences tripped me up a bit; like grep options on HP-UX if you were
raised on Sun.
So to "speed things up" I tried using the PDM. Bad idea. In my network
design, the office network uses the 172.16.x.y network to avoid any
routing problems that might arise when remote workers with 192.168.x.y
home networks connect to the office via software VPN.
So I tell the GUI that the "inside" interface is 172.16.1.1, and the
DHCP pool starts at .2. Specify the gateway, DNS, etc. and you're done.
Right? Wrong. I'm guessing that the PDM just collects command lines
and sends them to the PIX.
The first error pops up when "ip address inside 172.16.1.1 255.255.0.0"
conflicts with the factory default DHCP pool, which starts at
192.168.1.2. So the interface IP isn't changed. And the request to
change the DHCP pool doesn't match the still-unchanged factory IP
address, so that's ignored too. At least the PDM pops up error messages,
and it was pretty obvious to me what was going on. So I fixed it
But the client paid $500 for this box. And a $100 Linksys or SMC box
wouldn't have had this problem. You'd think Cisco could do better.
Then the DHCP server on the PIX wouldn't vend IP addresses. No sniffer
handy, so I tried various debug options on the PIX. Finally got an
error message from the DHCPD saying that DHCP wasn't enabled. This was
odd, considering that "dhcp enable inside" and other dhcp settings were
in place. I don't know what I did to kick start it, but it eventually
started lending everyone IP addresses from its stingy pool of 32 DHCP
leases. It was pretty easy to setup the rest of it.
Anyway, the point of this message was to say that the PDM is a rotten
little piece of software that only confuses things. So skip the PDM.
firewall-wizards mailing list firstname.lastname@example.org
firewall-wizards mailing list