Re: [Full-Disclosure] PIX vs CheckPoint

From: Jim Burwell (jimb_at_jsbc.cc)
Date: 06/30/04

  • Next message: Cyril Guibourg: "Re: [Full-Disclosure] PIX vs CheckPoint" 
    To: lists@venom600.org
Date: Wed, 30 Jun 2004 13:42:18 -0700

    Heh. That also suprised me when I started working w/ PIX. The fact you
    needed some sort of NAT statement to pass traffic regardless whether you
    were NATing had me shaking my head. Not too suprising I guess, since if
    I recall, PIXes came from the Cisco aquisition of a company called
    Network Translation.

    PIXes arn't really routers either, like many firewalls. This is evident
    by the fact that PIXes can't route traffic back out the same interface
    it received the traffic on. You have to be concious about these
    limitations when doing network design in the presence of PIXes.

    For instance, if you want to stand up a small VPN access router on a
    typical small LAN where the PIX is the default route, the VPN router
    can't be put in parallel with the PIX unless you either: a) change the
    LAN's default route to the VPN router (bad if most traffic taking the
    default route is bound for the internet, it'd just get bounced right to
    the PIX and put load on your poor little access router). b) put static
    routes for the appropriate networks on all hosts (yeah right). c) run a
    dynamic routing protocl on all hosts (not gonna happen). The solution
    in these situations, aside from buying a new "core" or "choke" router
    for the network, is to put the inside interface of the VPN access
    router off of a DMZ interface of a PIX, or spare interface if
    available. The PIX is perfectly happy to route the traffic to your
    router as long as it passes through the PIX and exits a different
    interface. Always seemed kind of silly to me.

    - Jim

    Ben Nelson wrote:

    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > You must have some static's in place then, which is a static 'NAT'
    > translation.
    >
    > Cyril Guibourg wrote:
    > | "Otero, Hernan (EDS)" <HOtero@lanchile.cl> writes:
    > |
    > |
    > |>I think you do, because at least a nat 0 itīs needed to get traffic
    > passing
    > |>through the pix.
    > |
    > |
    > | This is odd, I do have a running config under 6.2 without any nat
    > statement.
    > |
    > | _______________________________________________
    > | Full-Disclosure - We believe in it.
    > | Charter: http://lists.netsys.com/full-disclosure-charter.html
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.2.4 (GNU/Linux)
    >
    > iD8DBQFA4wsz3cL8qXKvzcwRArrMAJ9Otrq2qHTR4JV2ajPs7bemcR4WwwCcD++K
    > LO+GQKUn4B8NRt8zbCq2GaI=
    > =DTNj
    > -----END PGP SIGNATURE-----
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html 

    -- 
+---------------------------------------------------------------------------+
|         Jim Burwell - Sr. Systems/Network/Security Engineer, JSBC         |
+---------------------------------------------------------------------------+
| "I never let my schooling get in the way of my education." - Mark Twain   |
| "UNIX was never designed to keep people from doing stupid things, because |
|  that policy would also keep them from doing clever things." - Doug Gwyn  |
| "Cool is only three letters away from Fool" - Mike Muir, Suicyco          |
| "..Government in its best state is but a necessary evil; in its worst     |
|  state an intolerable one.." - Thomas Paine, "Common Sense" (1776)        |
+---------------------------------------------------------------------------+
|   Email:  jimb@jsbc.cc                              ICQ UIN:  1695089     |
+---------------------------------------------------------------------------+
|  Reply problems ?  Turn off the "sign" function in email prog.  Blame MS. |
+---------------------------------------------------------------------------+
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
  • Next message: Cyril Guibourg: "Re: [Full-Disclosure] PIX vs CheckPoint"

    Relevant Pages

    • Re: Pix 501 and Local Network Router (No VPN Needed)
      ... If you are putting a router in between the PC's and the PIX then the inside ... interface of the PIX would have to be on a different subnet from the PC's. ... > fixup protocol dns maximum-length 512 ...
      (comp.dcom.sys.cisco)
    • Re: PIX 501 Basic Configuration
      ... :I have just been given a PIX 501 to configure and have very little ... :My configuration sounds simple, I do not want DHCP and I do not think I ... interface IP and you or your ISP must route the internal public IP subnet ... directing it to the inside router. ...
      (comp.dcom.sys.cisco)
    • Re: Cisco PIX 506
      ... This is my router configuration as it stands now. ... ip route 0.0.0.0 0.0.0.0 Serial0 ... access-list 101 deny ip 127.0.0.0 0.255.255.255 any log ... PIX questions are better addressed to comp.dcom.sys.cisco -- more PIX ...
      (comp.security.firewalls)
    • RE: Router with security features
      ... Subject: Router with security features ... Cisco makes an even cheaper and smaller pix firewall. ... Pix 520's it just does not come with more powerful hardware. ...
      (Security-Basics)
    • route Maps with OSPF for set ip next-hop
      ... Internet and two Interfaces facing a PIX firewall. ... Can a route map be used with the outbound LSAs to specify the next hop ... available via interface G0 on the 3845 router and network 11.0.0.0/24 ...
      (comp.dcom.sys.cisco)