Re: Pix as router?

From: roberson@xxxxxxxxxxxx (Walter Roberson)
Date: Tue, 08 Apr 2008 01:29:52 GMT

In article <76699e04-417d-467d-95b0-34fc83263091@xxxxxxxxxxxxxxxxxxxxxxxxxxx>,
<Bod43@xxxxxxxxxxxxx> wrote:

I have a pix (well several) and just want a router (just one)
for a private link. Pix is plenty man enough for the job and
I don't need GRE or any dynamic routing.

Am I likely to regret it?

If I set inside and outside to secutrity level 0
and/or put permit ip any any on the interfaces
am I likely to run into any unexpected (for someone who
does not really understand the Pix but does understand
routers) problems?

No NAT no nothing - just a basic IP router.

If you are running PIX 4, 5, or 6, then you cannot do that.
For one thing, in those versions, interfaces with the same
security level cannot communicate with each other. For another
thing, even when it is not doing NAT, PIX 4, 5, 6 *always* do
some checks such as that a SYN ACK was in response to an outgoing
SYN (there is a theory that using nat 0 access-list disables these
checks, but the documentation is less than clear on this.)
If you use 'static' commands then use the 'norandomseq' option.

PIX 4, 5, 6 are designed to always get in the way of traffic: they are
-designed- not to *forward* packets, but to instead -receive- packets
and build new outgoing packets. The theory is that if there was a
packet -forwarding- path, then some external hackery might potentially
fool the PIX into forwarding arbitrary hostile or misshaped packets --
so instead, packets are received and output packets are only built and
emitted in response to specific rules in the configuration. Tain't
designed to be able to "just pass along" whatever weirdness might
be in a packet, the way a router is.

The packet flow model was changed in PIX 7, so like the other poster
indicated, there are things you can do in PIX 7 point whatever;
this things Just Won't Work in PIX 4, 5, or 6.
.

Follow-Ups:
- Re: Pix as router?
  - From: Bod43

References:
- Pix as router?
  - From: Bod43

Prev by Date: Re: Pix 506e w/5 static outside IPs - How to create a rule to allow ALL tcp/udp traffic from one outside IP to an internal IP (for an internal router/NAT with it's own subnet)
Next by Date: Re: Pix 506e w/5 static outside IPs - How to create a rule to allow ALL tcp/udp traffic from one outside IP to an internal IP (for an internal router/NAT with it's own subnet)
Previous by thread: Re: Pix as router?
Next by thread: Re: Pix as router?
Index(es):
- Date
- Thread

Relevant Pages

RE: [fw-wiz] Odd PIX / router behavior
... When you saw the original spoofed traffic, what kind of packets were ... My first thought was a misconfigured internal host too, ... 10.0.0.1 is the inside interface of the PIX. ...
(Firewall-Wizards)
Re: PIX 506E as a router
... to use it as a simple router? ... as you *need* the responses coming from the WAN unless ... incoming packets that are responses to outgoing packets (a ... PIX 506E do -fairly- well in such configurations, ...
(comp.dcom.sys.cisco)
Re: Pix as router?
... I don't need GRE or any dynamic routing. ... does not really understand the Pix but does understand ... No NAT no nothing - just a basic IP router. ... and build new outgoing packets. ...
(comp.dcom.sys.cisco)
RE: [fw-wiz] Cisco Concentrator - pix515 Lan-to-Lan
... route that points 10.50.0.0/24 to the inside interface of the concentrator. ... VPN 3000's log? ... on one side and pix 515 on the other. ... I can see echo and eho-replay packets on my pix (debug icmp ...
(Firewall-Wizards)
Re: PIX 506E as a router
... outgoing ports I have defined. ... to use it as a simple router? ... You cannot configure the PIX as described, ... incoming packets that are responses to outgoing packets (a ...
(comp.dcom.sys.cisco)