Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

dmz - firewall 1 vs pix

I currently have a dmz with FW1 (inherited) which is going away. I also have a new application that needs a dmz and I need to look at alternatives. Traffic from the internet into the dmz needs to be limited by uname/passwd and will be about 100 hits a day, max. Inside the dmz will be an apache and an iis server.. I 'think' all access will be web pages, but apps group may think up other wonderful things. NO access from dmz to inTRAnet, Access from inTRAnet will be 'update only' to the dmz systems. I want to keep my life simple and think a Cisco pix solution would be easier/more-reliable than FW1 on a Solaris box. I may want to log accesses but could care less about statistics... should I look into pix---? Is pix applicable for this use??

New Member

Re: dmz - firewall 1 vs pix

Indeed. PIX can use local and centralised user databases for auth to the DMZ, and for the above configuration quite easy to setup, especially with the new PDM Java GUI interface. By default no low security interface can access a high security interface i.e. DMZ to inside, Internet (outside) to dmz or inside, unless expressly permitted.

Its very secure, no need to manage both Fw1 and the OS it runs on etc. Logging is to syslog, as per Cisco routers and numerous scripts and commercial apps can analysis this for you.

PS PIX is also a hell of alot cheaper ;)