Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

pix firewalls

Are firewalls the same as CBAC on a router, and do they work by checking out going connections then checking the return traffic, , also say i had a web server, how does the pix make sure no other traffic or protocols get through ?


  • Other Network Infrastructure Subjects

Re: pix firewalls

Hello Carl,

CBAC or Firewall Feature Set IOS does most of what PIX firewall does. However, PIX firewall is designed for complex and advanced configurations.

Moreover, PIX firewall are more robust because the IOS is design mainly for security and you have a hardware based firewall. Therefore, it really depends on the requiremetns to usually spec a PIX firewall or router with IOS firewall.

As for your question, PIX inspect all traffic comming from inside to outside and outside to inside. You can restrict traffic by using Access-list on the outside and inside interface. Moreover, there is security level on each interface 100 being for inside and 1 being from outside. This means everything from outside to inside is denied unless you implement an access list permitting specific type of traffic.

I hope I did help and answer your questions,


New Member

Re: pix firewalls

so if we have a web server and only want say http traffic to come in and out, how would I do this and what would the pix do to stop any other traffic comming in ?

New Member

Re: pix firewalls

You configure a rule that accept connection from say Internet any to the webserver with port 80/tcp on outside interface and deny any other traffic.


Re: pix firewalls

By default, everything from outside to inside will be denied. To allow Http access to the web server you have to do Static NAT (one to one NAT) for the webserver and create an access-list allowing http to the webserver public IP and apply to the outside interface.

IN this way, only http access will be allowed to your webserver.

Hope this clarifies the issue,



Re: pix firewalls

one thing the other answers are missing is an explanation of the fixup command in PIX (6.3), in 7.x the fixup command has been replaced with policy maps. The pix will do deep packet inspection on (for example) http packets to make sure they are actually http packets and not something piggy backing over tcp/80 (or 443). CBAC to my knowledge doesn't do this.

in PIX 7.x, the syntax is something like:

policy-map global_policy

class inspection_default

inspect http

In PIX 6.x, the syntax is:

fixup protocol http 80