PIX 515 vs. 2621

Unanswered Question
mmellet Fri, 10/04/2002 - 10:31
User Badges:

The major advantage of using a 2621 for routing instead of a pix is the fact that it is a "router". The PIX does not use routing protocols and realistically does not route. The PIX is designed for security not routing.

But the PIX is a layer 3 device, correct?

But now that I think about it...the PIX really just acts as a huge 'door' for lack of better terms....'are you allowed to go to my other interface?'---looks at conduits/acl's---then 'yes' or 'no'.

I think I had already known the answer to that one...I was just looking for a more detailed explanation.

thanks for your help...


wilchan Thu, 10/10/2002 - 20:20
User Badges:

- 2600 is a router, PIX is not a router

- 2600 uses routing table for forwarding decision, PIX uses the translation table (NAT mapping basically) for forwarding decision

- PIX cannot say to be a layer 3 device, in fact the security algorithm it uses is Layer 7 aware (stateful firewall). For e.g. it understand a Telnet session

- PIX is a firewall, and 2600 can also be a firewall using built-in packet filtering, or it can be a stateful firewall similar to PIX with the Firewall feature set loaded

- In terms of firewall / VPN performance the PIX will be a much better choice since it is designed to perform such function.

Sridharagupta.b... Mon, 10/07/2002 - 00:11
User Badges:

As per my knowledge 2621 with VPN accelarator will be best suitable(cost effective) solution for VPN with 3DES but no failover. 2621 is a router which supports most of the routing protocols and PIX doen't do this. PIX does not support all the routing protocols. 2621 can't be a firewall,but can be a lower-end router. PIX got built in security for each interface depending on the name of that interface.

All-->thanks for your comments and explanations.

I'm working on a project right now that will remove most of the load and 'routing' from our PIX. It has 6 interfaces and we are currently using ALL of them for 'routing'. Granted some could say that it should stay like that so that we have a layer of stateful packet inspection between all domains/environments...but I think that is unneccessary considering we have 2621's and a 6509 inhouse w/ an MSFC....that was being utilized with zero benefit to our infrastructure.

I love these forums.



This Discussion