Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
630
Views
3
Helpful
6
Replies

Pix as router?

jcw009
Level 1
Level 1

‎02-23-2006 06:50 AM - edited ‎02-21-2020 12:44 AM

I've got an old 1605R that just crapped out on me. The only thing that I have available with two eth interfaces is a pix 506.

I know I can set it up to route between two networks and then allow ip any any between the two. What are the cons to using a pix as a router? Should I push to get a new router in?

Thanks!

0 Helpful
6 Replies 6

Glenn Hanratty
Level 1
Level 1

‎02-23-2006 07:38 AM

From my experience, a PIX cannot make routing decisions as it has no routing protocol. It needs to have explicit routes defined for each interface/network, and its default gateway.

I would recommend replacing your router, I don't think a PIX can do routing.

spremkumar
Level 9
Level 9

‎02-23-2006 07:55 AM

Hi

As already pointed out by Glen PIX doesnt do all kinda of activities which your router delievers to you also the features differs irrespective of the platform.

PIX Firewalls are introduced keeping Security as the main core focus when there was lack of device/equipment to take care of that part.

Though the lates PIX software versions supports most of the features which routers support still itz not a general/common/best practice to overload the PIX to handle both.

This link gives you the features which your new pix firewall software versions brings in.

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet0900aecd8040c5b5.html

But its not supported for PIX 506 platform which you hold off here.As a general recommendation try to get your device upgraded based on the connectivity and the main focus you give over ther in network..

regds

0 Helpful

jcw009
Level 1
Level 1

‎03-03-2006 12:47 PM

I've put the 506e (pixA) in place. It sort of works. I can rdc to a laptop on the "dmz" network, and I get the correct, external ip address when I hit www.nwtools.com from the laptop. But I'm trying to setup another 506e (pixB) to do a site-site vpn to a remote pix 506e (pixC). I can't ssh into pixB from off-site, and can't figure out why. (I'm also concerned that I might not be able to setup a vpn session, also, but haven't tried, yet.)

I can ssh into pixB from the external network and have ssh 0.0.0.0 0.0.0.0 outside in the config.

Here's my pixA (as router) config...

pixfirewall# sh ru

: Saved

:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password HsJlBQXq9eIeQtEC encrypted

passwd HsJlBQXq9eIeQtEC encrypted

hostname pixfirewall

domain-name tccms.net

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 101 permit ip any any

access-list 101 permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 172.43.91.38 255.255.255.252

ip address inside 172.43.91.65 255.255.255.192

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (outside) 0 access-list 101

nat (inside) 0 access-list 101

access-group 101 in interface outside

access-group 101 in interface inside

route outside 0.0.0.0 0.0.0.0 172.43.91.37 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 30

console timeout 0

terminal width 80

Cryptochecksum:c5b0f8b73aea7740355f6251c56bcdf9

: end

pixfirewall#

0 Helpful

spremkumar
Level 9
Level 9
In response to jcw009

‎03-07-2006 03:20 AM

Hi

Instead of allowing all/permitting all ssh connections from outside and inside do mention the particular subnet blocks which requires the access or which can access the pix.

regds

0 Helpful

jcw009
Level 1
Level 1
In response to spremkumar

‎03-07-2006 05:49 AM

The only thing is that I'm not sure where I'll be managing the pix from. Is there a way to disable the use of pix@ in the ssh connetions, or to define a different username to connect?

0 Helpful

jcw009
Level 1
Level 1
In response to jcw009

‎03-07-2006 05:47 AM

Whoops, my bad. Forgot the default route on the inside pix (pixB).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card