[c-nsp] firewall ios

Scott Keoseyan scott at labyrinth.org
Sun May 27 11:37:00 EDT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Has anyone done any comparison studies with regards to features and
performance between a midrange ASA or PIX and a 2800 running FW-IOS?
How about running FW-IOS on a 6500 and the FWSM on a 6500?

If it's just a matter of implementation, I'd rather use an IOS interface
anyday.  I realize there's a whole VPN component associated with ASA now
that you're probably not going to get (or only partially get) with a
router-based IOS, but if you toss that out, what do you have left in the
way of performance and features?

Scott


Ted Mittelstaedt wrote:
> take the IOS firewall feature set.  The PIX interface is annoying.
> It is NOT ios.  Among annoyances you cannot telnet from the PIX to
> another device.  Thus if you have a PIX buried in the enterprise
> behind multiple routers, and a route gets screwed beyond it, you
> cannot reach the remote router by hopscotching.  The PIX also don't
> speak many routing protocols.  Cisco is also slow
> as a slug to release new PIX images.  Most PIXen out there are the
> 506 and 506E's and Cisco has turned it's back on them because
> PIXos 7 requires a ram update.  I took delivery of 2 new 506E's 4 months
> ago and they came out of the box, still with inadequate ram, and
> 2 year old PIX os on them.
> 
> I have also seen multiple PIX hardware failures on the original
> non-E models.  The PIX boxes get temp sensitive and lock up, power
> cycling gets them going again.  This will continue repeating itself
> for months.  Or the power supplies fry.  And
> Cisco no longer sells the power supplies for the original non 506
> models.  So far, knock on wood, the E models we have seen deployed
> haven't done this.  They also run hot as Hades.  You can almost
> fry an egg on one of them that has been on for a while.
> 
> Keep in mind the PIX was a product Cisco bought from someone else,
> they didn't design it.  Cisco has said for years that customers
> shouldn't buy them.  The usual line is "we are in process of taking
> the technology from the PIX and using it in our other products"
> Which is big marketing bullcrap intended to reinforce the bogus
> image of superiority that the original dyed-in-the-wool PIX owners
> had of their devices.  IOS is actually more advanced, and PIX didn't
> have dynamic VPN support when Cisco bought the product.  Over the
> years more technology has flowed from Cisco into the PIX than they
> ever got out of it.  The PIX purchase was a buy market share purchase
> not a technology purchase.  Totally opposite from for example the
> Combinet purchase where Combinet had far better ISDN technology
> than Cisco.  The PIX originally was a hacked up PC motherboard
> based product and the original versions (pre Cisco) ran on a 
> hacked up dos/windows OS.
> 
> The PIX is popular IMHO because it's cheaper than IOS Firewall Feature
> set + a decent Cisco router, and it has the moniker Cisco on it.  Logic
> would tell Cisco to kill the product, but they are afraid of doing
> that because they are afraid of losing customers.  Frankly, the Linksys
> RV042 works just as good as a PIX for most applications you would use
> a PIX in and is a hell of a lot cheaper.  Plus it has Cisco on the box.
> Unfortuantely, the RV042 doesen't get the attention it should because
> so much of the Linksys product line has been total garbage.
> 
> Ted
> 
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net
>> [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Dan
>> Sent: Saturday, May 26, 2007 9:02 PM
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] firewall ios
>>
>>
>> Hello,
>>
>> I was wondering if there is any difference between a pix firewall and 
>> the firewall ios.  I have a 2801 router that I would like to buy the 
>> firewall ios for instead of putting in a pix firewall.  Does the 
>> firewall ios have all of the features of the pix box?  I'm currently 
>> using the router for nbar inspection, route-mapping and natting a few 
>> internet connections.  Will this all still work on the firewall ios?
>>
>> Thanks,
>> Dan.
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

- --
Scott A. Keoseyan (scott at labyrinth.org)
Homepage : http://www.labyrinth.org/homepages/scott
Blogpage : http://www.labyrinth.org/wp1
PGP Keys : http://www.labyrinth.org/homepages/scott/pgp.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFGWaWcA7TpMPAlvEcRArJlAJ4rh+THinNABH+cBLPyKYDQuy7tOACeO/iU
Bu7z5OwMhZFeNkoQj//sn3I=
=I6Y3
-----END PGP SIGNATURE-----


More information about the cisco-nsp mailing list