I manage a technology lab environment that is currently separated from our production network by a five year old 7200 router with 10Mb ethernet interfaces. Both my production network and lab network have 10/100 Cisco switches providing connectivity out to the desktop (Catalyst 5509s). I recently acquired a PIX 520 with multiple 100Mb interfaces, & I use this for testing purposes. I have two goals that I want to achieve. The 1st goal is to improve the throughput from my production network to my lab network. The 2nd goal is to put the firewall in place between the production network & lab network in order to lock things down a bit. So I have a couple of questions. Is it reasonable to use the PIX as a router AND firewall? It seems like this would achieve both my objectives (speed & security). I'm getting conflicting information from my technical staff: Some say the pix isn't a "real" router, but can't clarify what they mean by "real". Some say that the pix doesn't support EIGRP, which would be needed to integrate with our production network. Some guys think that the pix by itself would be sufficient & simplify things, others want to put the pix & the router in line but can't agree as to which order they should be configured. (e.g. production network -- pix -- 7200 -- lab network OR production network -- 7200 -- pix -- lab network. This is a long message, but I'd like to get some other opinions on this topic.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
7200 or PIX?
- Thread starter sofaking
- Start date
Why not run a *normal* router with the firewall IOS code? that gets you *real* routing and 80% of the PIX capablities..
MikeS Find me at
"Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin
MikeS Find me at
"Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin
- Thread starter
- #3
I already have both. A Cisco 7200 & the PIX. I can configure them in whatever way makes sense. Do you mean that I can install firewall IOS code on my 7200? I didn't realize that was an option. btw, what does *real* routing mean? It just seems to me that if a PIX can route and perform firewall functions, then why should I complicate the architecture by adding another router to the mix when all I'm doing is connecting 2 ethernet segments?
you can get the IOS with firewalling capablities. It's not a pix but for most conditions and some carefull planning, it will be just fine.
On the 7200, IOS 12.x goes from IP/FW to IP/FW/IDS IPSEC 56
A PIX is a PC with router code and a couple of IntelExpress cards.. or Adaptec Quad port depending on model. (and a few other items) None of which is optimized for "routing" It's designed to either pass or block packets. Not switch them, not route them, not bridge them and so on. It comes down to performance many times.. the PIX can not match a high end router if you try to force it to route. It *CAN* check and deny packets better then a plain old access list on a router.
Riddle me this? why you would want to complicate things on two segments with port mapping, conduits, blocked this, that and the other?
You want performance? then route with the 7200..
You want security *a bit*.. then NAT the network segment, use basic access lists and forget the overkill of the PIX.
Of course, all this is based on not knowing very much about the network and the actual goals, business constraints and such. SOoooooo... your milage will vary ;-)
MikeS Find me at
"Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin
On the 7200, IOS 12.x goes from IP/FW to IP/FW/IDS IPSEC 56
A PIX is a PC with router code and a couple of IntelExpress cards.. or Adaptec Quad port depending on model. (and a few other items) None of which is optimized for "routing" It's designed to either pass or block packets. Not switch them, not route them, not bridge them and so on. It comes down to performance many times.. the PIX can not match a high end router if you try to force it to route. It *CAN* check and deny packets better then a plain old access list on a router.
Riddle me this? why you would want to complicate things on two segments with port mapping, conduits, blocked this, that and the other?
You want performance? then route with the 7200..
You want security *a bit*.. then NAT the network segment, use basic access lists and forget the overkill of the PIX.
Of course, all this is based on not knowing very much about the network and the actual goals, business constraints and such. SOoooooo... your milage will vary ;-)
MikeS Find me at
"Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin
The pix has a limitation on how many sessions it can filter and how much bandwidth it can handle.
Its probably best to have the 7200 with IP/FW feature set and have standard/extended acls then have a routing descriptor to send the rest of the data to the PIX.
This will accomodate future needs until you upgrade your pix.
Its probably best to have the 7200 with IP/FW feature set and have standard/extended acls then have a routing descriptor to send the rest of the data to the PIX.
This will accomodate future needs until you upgrade your pix.
- Status
Similar threads
