[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <40E325AA.5080003@jsbc.cc>
From: jimb at jsbc.cc (Jim Burwell)
Subject: PIX vs CheckPoint
Heh. That also suprised me when I started working w/ PIX. The fact you
needed some sort of NAT statement to pass traffic regardless whether you
were NATing had me shaking my head. Not too suprising I guess, since if
I recall, PIXes came from the Cisco aquisition of a company called
Network Translation.
PIXes arn't really routers either, like many firewalls. This is evident
by the fact that PIXes can't route traffic back out the same interface
it received the traffic on. You have to be concious about these
limitations when doing network design in the presence of PIXes.
For instance, if you want to stand up a small VPN access router on a
typical small LAN where the PIX is the default route, the VPN router
can't be put in parallel with the PIX unless you either: a) change the
LAN's default route to the VPN router (bad if most traffic taking the
default route is bound for the internet, it'd just get bounced right to
the PIX and put load on your poor little access router). b) put static
routes for the appropriate networks on all hosts (yeah right). c) run a
dynamic routing protocl on all hosts (not gonna happen). The solution
in these situations, aside from buying a new "core" or "choke" router
for the network, is to put the inside interface of the VPN access
router off of a DMZ interface of a PIX, or spare interface if
available. The PIX is perfectly happy to route the traffic to your
router as long as it passes through the PIX and exits a different
interface. Always seemed kind of silly to me.
- Jim
Ben Nelson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> You must have some static's in place then, which is a static 'NAT'
> translation.
>
> Cyril Guibourg wrote:
> | "Otero, Hernan (EDS)" <HOtero@...chile.cl> writes:
> |
> |
> |>I think you do, because at least a nat 0 it?s needed to get traffic
> passing
> |>through the pix.
> |
> |
> | This is odd, I do have a running config under 6.2 without any nat
> statement.
> |
> | _______________________________________________
> | Full-Disclosure - We believe in it.
> | Charter: http://lists.netsys.com/full-disclosure-charter.html
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
>
> iD8DBQFA4wsz3cL8qXKvzcwRArrMAJ9Otrq2qHTR4JV2ajPs7bemcR4WwwCcD++K
> LO+GQKUn4B8NRt8zbCq2GaI=
> =DTNj
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
--
+---------------------------------------------------------------------------+
| Jim Burwell - Sr. Systems/Network/Security Engineer, JSBC |
+---------------------------------------------------------------------------+
| "I never let my schooling get in the way of my education." - Mark Twain |
| "UNIX was never designed to keep people from doing stupid things, because |
| that policy would also keep them from doing clever things." - Doug Gwyn |
| "Cool is only three letters away from Fool" - Mike Muir, Suicyco |
| "..Government in its best state is but a necessary evil; in its worst |
| state an intolerable one.." - Thomas Paine, "Common Sense" (1776) |
+---------------------------------------------------------------------------+
| Email: jimb@...c.cc ICQ UIN: 1695089 |
+---------------------------------------------------------------------------+
| Reply problems ? Turn off the "sign" function in email prog. Blame MS. |
+---------------------------------------------------------------------------+
Powered by blists - more mailing lists