[TriLUG] PIX 501 questions

Jon Carnes jonc at nc.rr.com
Fri Jan 31 00:56:43 EST 2003 

First of all (no offense to anyone at Cisco) but the Pix 501 sucks.  I
would use a linksys box or an OpenBSD box over a Pix anytime.

Awhile back I tried in vain to do the same thing that you are doing only
to eventually discover that I didn't have one of the many add-ons needed
to handle IPsec. And to get that add-on was going to cost my corp
mega-bucks! I hate products that advertise only the full capabilities of
the mega-unit and then nickle and dime you to death by making you buy
every little function to actually make the damn thing work (or work
similar to what they advertise).

You have to separate the real capabilities of your particular Pix 501
from the Marketing BS that surrounds the product (and here I have to
admit that my real problem with the Pix product line is with the
marketing BS that surrounds it). Check what your Pix is actually
licensed to do.

http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/px501_ds.htm

Good Luck - Jon Carnes

On Thu, 2003-01-30 at 23:19, Glen Ford wrote:
> Not a directly Linux related question, but I hope the good folks on this 
> list might be able to help.
> In an effort to learn a little about Cisco Pix products I has swapped 
> out my Linksys DSL route with a PIX 501.  I use the Linksys and now the 
> pix as firewall between my home boxes and my RoadRunner cable modem. 
> Pretty standard stuff.
> 
> 
> I am having two problems with my PIX 501.
> 
> 
> 1.  The outside interface of my PIX gets assigned by the ISP via dhcp. 
> This works for the most part, except periodically loose connectivity to 
> my RoadRunner router.  I know this because my wife complains that she 
> can not use the browser. I check the connection by pinging the router 
> from the command line inside the PIX. The pings fail and I have to issue 
> the following command to regain my connectivity."ip address outside dhcp 
> setroute retry 5"  . This is proving to be irritating. Why does the 
> outside PI loose connectivity to the route?
> 
> 
> 2. With the Linksys I am able to use  Cisco VPN client for Linux without 
> any problems.  I.E. from server behind Linksys I am able to establish a 
> vpn connection to my corporate network.  This is a ipsec tunnel over UDP 
> port 500 (esp).  The Linksys passes this traffic without any problems.  
> linux (vpn client) ---> linksys ----> vpn end-point
> However when I use the PIX it does not work.  I know I am passing the 
> udp port 500 traffic because I see it leaving the outside interface of 
> the PIX.  I use debug command to see it.  I do not see any reply traffic 
> coming pack from the vpn request.  The packets leaving the PIX are 
> addressed with source of the outside interface and destination of my 
> corporate vpn end point.  This all seem correct except I do not see any 
> traffic coming back from the corporate end-point.  After some time the 
> vpn client croaks and says that it timed out trying to make the connection.
> 
> Any help with either/both of these two questions would be much appreciated.
> 
> Thanks,
> /Glen
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> TriLUG mailing list
>     http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
>     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html

More information about the TriLUG mailing list