Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Pix & Check Point 1

Status
Not open for further replies.
angelo990

angelo990

Technical User
Mar 6, 2002
55
US
Greetings,

Having been exposed to Check Point firewalls, I'd appreciate some feedback of advantages/disadvantages, etc on implementing a cisco pix solution as an alternative to Check Point.

Check Point so far has been pretty good, however, not many clients can afford this solution. In contrast, cisco is much cheaper.

Things I'm particularly interested are:
+ On check point, there's a macintosh client VPN, what about cisco pix?
+ a VPN software is loaded on the client in order to establish a VPN connection in a check point solution. Microsoft VPN client can be used to allow connections to the network but then it's not using check point's own VPN software. Is there a client software required to be loaded in order to set a VPN connection to internal network using a cisco pix?
+ Microsoft own VPN client can be used to establish a VPN connection to cisco pix. Is this recommended?
+ Any words on site -t0-site VPN on cisco pix?
+ is there a necessity to use NAT pools on cisco pix?
+ A client is in another state & want to hookup their laptop to whatever DSL/cable connection is in that area, can they set up a VPN connection to the cisco pix? or would the DSL location will need to open specific ports in order to connect theu the DSL/cable connection?

The level of command line familiarity to configure a cisco pix must be there, although, I've worked lightly on cisco routers, I can get around.

I'd appreciate your feedback.

Thanks in advance!

Angel

Glad to be here!
 
Sort by date Sort by votes
HI.

+ On check point, there's a macintosh client VPN, what about cisco pix?
I don't know yet - I'm also checking this issue for someone.
As far as I know there is only a Windows client.

+ ... Is there a client software required to be loaded in order to set a VPN connection to internal network using a cisco pix?
Yes, there is the Cisco VPN software client.

+ Microsoft own VPN client can be used to establish a VPN connection to cisco pix. Is this recommended?
I do not recommend it.
Here are some disadvantages of PPTP implementation on pix:
* You don't have the "split tunnel" option (you cannot access Internet and VPN at the same time).
* There is only a single authentication (easier to brake it), while Cisco VPN client can be configured with dual authentications (group+pass or certificate preconfigured by administrator, and then username+pass).
If you're planning to use PPTP, you can use MS server as VPN server instead of the pix.

* You should note that a basic pix bundle comes with DES encription only, and 3DES license should be purchased as addition.

+ Any words on site -t0-site VPN on cisco pix?
* No problem with pix to pix, and not dificult to establish.
Same 3DES license issue.
VPN of pix to other vendor (like CP) can be more dificult and requires some reconfiguration at both ends.

+ is there a necessity to use NAT pools on cisco pix?
No, NAT can be disabled on the pix.

+ A client is in another state & want to hookup their laptop to whatever DSL/cable connection is in that area, can they set up a VPN connection to the cisco pix? or would the DSL location will need to open specific ports in order to connect theu the DSL/cable connection?
This is a good point that you are raising - while CP SecuRemote supports IPSec over TCP/UDP, the pix currently does not support it, so the client will probably fail to establish VPN to pix from behind a NAT device.


So - to conclude the VPN issues, I think that the pix has some limittations that might catch you.
Some issues can be solved by using the PIX as firewall only, and terminating VPN with another device, for example a Cisco VPN concentrator (supports 3DES and IPSec over TCP/UDP, but I don't know about MAC clients).

Separating VPN and Firewall might be a good idea for medium to large organizations because you can better manage it and also you offload the FW.


From the very little knowledge of CP I think that CP still has a much better management interface, and also you'll find out that you might need 3rd party applications to collect and analyze the pix log files.
The pix has also limitted support for content filtering - for example you cannot block specific HTTP URL (like code red) with the pix without an additional 3rd party server.

Another thing - when you buy a new pix you get the current OS, but if you want to get newer versions you have to subscribe for those updates. This is an optional additional cost but I thinkg that it is recommended,

The pix main advantages that I know of are:
* The pix has good performance.
* The pricing is per box and not per client (excluding pix 501) . But you should consider additional costs like 3DES license and/or additional supporting software/devices.
* You can implement a "hot" failover configuration for reasonable cost.


There is much more and I hope that other will share their experience.
Myself I didn't work with CP so what I wrote here is based on info I got from other.
I've done several CP to Pix migrations for SMB clients - most of them where for the same reason that you mentioned - lower cost.
There were no complains from clients after the migrations.


Bye
Yizhar Hurwitz
 
Upvote 0 Downvote

Things I'm particularly interested are:
+ On check point, there's a macintosh client VPN, what about cisco pix?

> Sure. There is a MS Windows, Mac, and Linux VPN client. PIX uses the same client as the VPN 3000 and the routers.

+ a VPN software is loaded on the client in order to establish a VPN connection in a check point solution. Microsoft VPN client can be used to allow connections to the network but then it's not using check point's own VPN software. Is there a client software required to be loaded in order to set a VPN connection to internal network using a cisco pix?

>You can use the Cisco client or use MS L2TP over IPSec solution.

+ Microsoft own VPN client can be used to establish a VPN connection to cisco pix. Is this recommended?

> It's L2TP over IPSec. If you can live with that. It's OK.

+ Any words on site -t0-site VPN on cisco pix?

>It's easy and works well. (?)

+ is there a necessity to use NAT pools on cisco pix?

> You can use NAT or you can set up for nat(0) and not use NAT. What does your design call for?

+ A client is in another state & want to hookup their laptop to whatever DSL/cable connection is in that area, can they set up a VPN connection to the cisco pix? or would the DSL location will need to open specific ports in order to connect theu the DSL/cable connection?

>Huh? Usually cable or DSL connections to the Internet are not filtered. VPN should work fine. You may have to check to see if the cable or DSL IP is NAT'ed.

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
61
xwray
xwray
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
71
brownmab53
brownmab53
quazimotto
  • Locked
  • Question
Correct Upgrade Path for PIX
Replies
7
Views
137
quazimotto
quazimotto
quazimotto
  • Locked
  • Question
Ping thru PIX to subnet inside??!!
Replies
0
Views
58
quazimotto
quazimotto
hall5942
  • Locked
  • Question
Site to Site VPN with Cisco 881 and PIX
Replies
0
Views
53
hall5942
hall5942

Part and Inventory Search

Sponsor

Back
Top