Re: [Full-Disclosure] PIX vs CheckPoint

[Jim Burwell <jimb@xxxxxxx>]

Heh.  That also suprised me when I started working w/ PIX.  The fact you 
needed some sort of NAT statement to pass traffic regardless whether you 
were NATing had me shaking my head.  Not too suprising I guess, since if 
I recall, PIXes came from the Cisco aquisition of a company called 
Network Translation.

PIXes arn't really routers either, like many firewalls.  This is evident 
by the fact that PIXes can't route traffic back out the same interface 
it received the traffic on.  You have to be concious about these 
limitations when doing network design in the presence of PIXes. 

For instance, if you want to stand up a small VPN access router on a 
typical small LAN where the PIX is the default route, the VPN router 
can't be put in parallel with the PIX unless you either:  a) change the 
LAN's default route to the VPN router (bad if most traffic taking the 
default route is bound for the internet, it'd just get bounced right to 
the PIX and put load on your poor little access router).  b) put static 
routes for the appropriate networks on all hosts (yeah right).  c) run a 
dynamic routing protocl on all hosts (not gonna happen).  The solution 
in these situations, aside from buying a new "core" or "choke" router 
for the network,  is to put the inside interface of the VPN access 
router off of a DMZ interface of a PIX, or spare interface if 
available.  The PIX is perfectly happy to route the traffic to your 
router as long as it passes through the PIX and exits a different 
interface.  Always seemed kind of silly to me.

- Jim


Ben Nelson wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> You must have some static's in place then, which is a static 'NAT'
> translation.
>
> Cyril Guibourg wrote:
> | "Otero, Hernan         (EDS)" <HOtero@xxxxxxxxxxx> writes:
> |
> |
> |>I think you do, because at least a nat 0 it´s needed to get traffic
> passing
> |>through the pix.
> |
> |
> | This is odd, I do have a running config under 6.2 without any nat
> statement.
> |
> | _______________________________________________
> | Full-Disclosure - We believe in it.
> | Charter: http://lists.netsys.com/full-disclosure-charter.html
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
>
> iD8DBQFA4wsz3cL8qXKvzcwRArrMAJ9Otrq2qHTR4JV2ajPs7bemcR4WwwCcD++K
> LO+GQKUn4B8NRt8zbCq2GaI=
> =DTNj
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


--
+---------------------------------------------------------------------------+
|         Jim Burwell - Sr. Systems/Network/Security Engineer, JSBC         |
+---------------------------------------------------------------------------+
| "I never let my schooling get in the way of my education." - Mark Twain   |
| "UNIX was never designed to keep people from doing stupid things, because |
|  that policy would also keep them from doing clever things." - Doug Gwyn  |
| "Cool is only three letters away from Fool" - Mike Muir, Suicyco          |
| "..Government in its best state is but a necessary evil; in its worst     |
|  state an intolerable one.." - Thomas Paine, "Common Sense" (1776)        |
+---------------------------------------------------------------------------+
|   Email:  jimb@xxxxxxx                              ICQ UIN:  1695089     |
+---------------------------------------------------------------------------+
|  Reply problems ?  Turn off the "sign" function in email prog.  Blame MS. |
+---------------------------------------------------------------------------+


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html