Pix as router?

I've got an old 1605R that just crapped out on me. The only thing that I have available with two eth interfaces is a pix 506.

I know I can set it up to route between two networks and then allow ip any any between the two. What are the cons to using a pix as a router? Should I push to get a new router in?


Re: Pix as router?

From my experience, a PIX cannot make routing decisions as it has no routing protocol. It needs to have explicit routes defined for each interface/network, and its default gateway.

I would recommend replacing your router, I don't think a PIX can do routing.

Re: Pix as router?


As already pointed out by Glen PIX doesnt do all kinda of activities which your router delievers to you also the features differs irrespective of the platform.

PIX Firewalls are introduced keeping Security as the main core focus when there was lack of device/equipment to take care of that part.

Though the lates PIX software versions supports most of the features which routers support still itz not a general/common/best practice to overload the PIX to handle both.

This link gives you the features which your new pix firewall software versions brings in.

But its not supported for PIX 506 platform which you hold off here.As a general recommendation try to get your device upgraded based on the connectivity and the main focus you give over ther in network..


Re: Pix as router?

I've put the 506e (pixA) in place. It sort of works. I can rdc to a laptop on the "dmz" network, and I get the correct, external ip address when I hit from the laptop. But I'm trying to setup another 506e (pixB) to do a site-site vpn to a remote pix 506e (pixC). I can't ssh into pixB from off-site, and can't figure out why. (I'm also concerned that I might not be able to setup a vpn session, also, but haven't tried, yet.)

I can ssh into pixB from the external network and have ssh outside in the config.

Here's my pixA (as router) config...

pixfirewall# sh ru

: Saved


PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password HsJlBQXq9eIeQtEC encrypted

passwd HsJlBQXq9eIeQtEC encrypted

hostname pixfirewall


fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


access-list 101 permit ip any any

access-list 101 permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (outside) 0 access-list 101

nat (inside) 0 access-list 101

access-group 101 in interface outside

access-group 101 in interface inside

route outside 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh outside

ssh inside

ssh timeout 30

console timeout 0

terminal width 80


: end


Re: Pix as router?


Instead of allowing all/permitting all ssh connections from outside and inside do mention the particular subnet blocks which requires the access or which can access the pix.


Re: Pix as router?

The only thing is that I'm not sure where I'll be managing the pix from. Is there a way to disable the use of pix@ in the ssh connetions, or to define a different username to connect?

Re: Pix as router?

Whoops, my bad. Forgot the default route on the inside pix (pixB).

