I agree with Peter. Even with the GUI tools, things like NAT are not very
straght forward. At one site, the guy that had originally set the
firewall up had some of the NATs backwards. IOW instead of translating an
outside public address to an internal private, he had the addreses
backwards (which, by the way, was causing the firewall to come to a
screeching halt every time someone attempted to connect to one of these
NAT'd services). After looking at what he had in place, it was easy to
see how one could get it backwards.
I have seen Cisco engineers have trouble getting PIX to cooperate, and
these were some of Cisco's top dogs that work with it all the time.
I will say this however: PIX is extremely fast. If you are an ISP with
CCIE's or guys good with Cisco equipment on staff, don't rule it out.
Network Computing did tests that rated PIX doing 150Mb's throughput.
Also, the performance hit is almost unnoticeable when using NAT.
Carric Dooley
COM2:Interactive Media
http://www.com2usa.com
On 10 Jun 1999, Peter da Silva wrote:
> In article <[EMAIL PROTECTED]>,
> ward, bryan <[EMAIL PROTECTED]> wrote:
> >Does anyone have an opinion on the CISCO PIX. I would be interested to here
> >them.
>
> It's pretty solid once you have it configured, but the configuration model
> is highly counterintuitive: the arguments to "conduit" commands are the
> not always the addresses they seem to be. They are also in the process
> of changing the CLI to make it more compatible with IOS, so it's in a state
> of flux. I would hold off until they finish changing things.
>
> (we bought 35 of them for a project, and now I'm stuck in the middle. AUGH)
>
> --
> In hoc signo hack, Peter da Silva <[EMAIL PROTECTED]>
> `-_-' Ar rug t� barr�g ar do mhact�re inniu?
> 'U` "Be vewy vewy quiet...I'm hunting Jedi." -- Darth Fudd
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
