pix questions

Posted on 2005-02-28
Medium Priority
Last Modified: 2010-04-17
I have a pix 501. I noticed that not much configuration was needed to put it in place. Are all PIXs like this? Or do some of the other ones require more configuration?  what can I do to further configure this...as far as rules are concerned, inspection etc..
Question by:dissolved
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 43

Accepted Solution

JFrederick29 earned 1000 total points
ID: 13419027
The PIX 501 is your basic SOHO firewall, no routing protocols, no VLAN support, only an inside and outside interface, so yes, NAT, some static's/ACL's if desired, and VPN configuration are really the bulk of the PIX.  The more advanced PIX's support routing protocols, VLAN's, and can have many interfaces, which leads to DMZ configurations.  As far as wanting to configure more on the PIX, there really isn't that much more.  Hopefully though, because it doesn't appear to have as much configuration as a router or switch, you don't minimize the capabilites of the PIX.  It is a firewall foremost and that part it does very well.
LVL 79

Assisted Solution

lrmoore earned 1000 total points
ID: 13419223
Every PIX runs the exact same OS image, but the hardware limits use of some features and imbedded firmware limits use of some features (like a 10 user license limit on some 501's).
So, yes, even the big 535 is just that easy to get up and running out of the box for basic functionality.
If you really want to learn what all a pix can do, just look at the command reference guide..

Learn it all very well, and in a month or two you can throw all that away when PIX 7.0 is released. I read 23 pages of new feature descriptions...
It may be a mistake. The more feature filled, the more configurations available, the more suseptible to human error. After all, human error in configurations is at the root of 90% of breakins now.

Author Comment

ID: 13419618
Thanks. So basically, I wont do much more configuration to my PIX, than what I've already done?  (static routes, defining inside/outside interface etc..)
The more advanced PIXs are more like routers it seems.

Are PIX's easier to configure than routers?

Thanks for the heads up on the Pix 7.0. 23 pages of new features? Wow. Guess they dont follow K.I.S.S. philosophy
LVL 79

Expert Comment

ID: 13419746
The more advanced PIXs are no more like a router than yours is. They behave the same way, just have more memory to run more advanced features like VLANs and OSPF and multiple interfaces (up to 100 to be exact) for multiple DMZs.

I personally think that the PIX is easier than a router. No wildcard masks, everything uses subnet masks--even acls.
I like the quick look at performance graphs on the home page of the GUI.

Just remember that it is NOT a router and does not behave anything like a router.

I guess the market forces drives the feature set, not the security people...I can't tell you how many times I've had to tell someone that the PIX simply will not do what they want it to, no matter how big their hammer. I always hear "but my Linksys|D-link|Wal-Mart special would do that. You mean a $50 box is more capable than a $5000 box?" - D'OH! they just don't get it..
I'm trying my best to get hold of the PIX 7.0 code to see what it really does...Volunteered to beta test.. waiting patiently...


Author Comment

ID: 13420073
Thanks man. Let us know if you get a hold of the 7.0 and what you think about it.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question