[TriLUG] PIX 501 questions

Jason Tower jason at cerient.net
Fri Jan 31 01:00:05 EST 2003 

+1

the pix 501 is a toy, i've installed a couple and neither installed easily.  
plus it uses a bizarre web-based admin that was very problematic.  it locked 
up frequently and bouncing it would screw up the config.  do like the 
humungous said and "just walk away".

the 506, 515, and other pix's are a lot more robust but a nightmare to 
configure unless you knew IOS really well.  trying to configure a pix from 
scratch using IOS makes iptables and freeswan look easy.

jason

On Friday 31 January 2003 00:56, Jon Carnes wrote:
> First of all (no offense to anyone at Cisco) but the Pix 501 sucks.  I
> would use a linksys box or an OpenBSD box over a Pix anytime.
>
> Awhile back I tried in vain to do the same thing that you are doing only
> to eventually discover that I didn't have one of the many add-ons needed
> to handle IPsec. And to get that add-on was going to cost my corp
> mega-bucks! I hate products that advertise only the full capabilities of
> the mega-unit and then nickle and dime you to death by making you buy
> every little function to actually make the damn thing work (or work
> similar to what they advertise).
>
> You have to separate the real capabilities of your particular Pix 501
> from the Marketing BS that surrounds the product (and here I have to
> admit that my real problem with the Pix product line is with the
> marketing BS that surrounds it). Check what your Pix is actually
> licensed to do.
>
> http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/px501_ds.htm
>
> Good Luck - Jon Carnes
>
> On Thu, 2003-01-30 at 23:19, Glen Ford wrote:
> > Not a directly Linux related question, but I hope the good folks on this
> > list might be able to help.
> > In an effort to learn a little about Cisco Pix products I has swapped
> > out my Linksys DSL route with a PIX 501.  I use the Linksys and now the
> > pix as firewall between my home boxes and my RoadRunner cable modem.
> > Pretty standard stuff.
> >
> >
> > I am having two problems with my PIX 501.
> >
> >
> > 1.  The outside interface of my PIX gets assigned by the ISP via dhcp.
> > This works for the most part, except periodically loose connectivity to
> > my RoadRunner router.  I know this because my wife complains that she
> > can not use the browser. I check the connection by pinging the router
> > from the command line inside the PIX. The pings fail and I have to issue
> > the following command to regain my connectivity."ip address outside dhcp
> > setroute retry 5"  . This is proving to be irritating. Why does the
> > outside PI loose connectivity to the route?
> >
> >
> > 2. With the Linksys I am able to use  Cisco VPN client for Linux without
> > any problems.  I.E. from server behind Linksys I am able to establish a
> > vpn connection to my corporate network.  This is a ipsec tunnel over UDP
> > port 500 (esp).  The Linksys passes this traffic without any problems.
> > linux (vpn client) ---> linksys ----> vpn end-point
> > However when I use the PIX it does not work.  I know I am passing the
> > udp port 500 traffic because I see it leaving the outside interface of
> > the PIX.  I use debug command to see it.  I do not see any reply traffic
> > coming pack from the vpn request.  The packets leaving the PIX are
> > addressed with source of the outside interface and destination of my
> > corporate vpn end point.  This all seem correct except I do not see any
> > traffic coming back from the corporate end-point.  After some time the
> > vpn client croaks and says that it timed out trying to make the
> > connection.
> >
> > Any help with either/both of these two questions would be much
> > appreciated.
> >
> > Thanks,
> > /Glen
> >
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > TriLUG mailing list
> >     http://www.trilug.org/mailman/listinfo/trilug
> > TriLUG Organizational FAQ:
> >     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
>
> _______________________________________________
> TriLUG mailing list
>     http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
>     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html

More information about the TriLUG mailing list