Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member


I am curious if I have a correct understanding of the two. I am new to CBAC.

PIX does the following:

1. Uses access-lists to allow outgoing and incoming traffic at layer 3 and layer 4 (port redirection).

CBAC does the following:

1. Augments access-lists with stateful packet filtering at layer 7 by only allowing packets back into the private network that are part of a connection that have been initiated from the inside.

1. Can the PIX do any layer 7 packet filtering?

2. Why buy a PIX when you can add the IOS firewall feature set on a gateway router for less cash? Is it to offload the processing from the router for large organizations? Are there any other benefits?

3. On the PIX, when you create an access list for outbound traffic applied to the inside interface, do you ever have to allow an IP (tcp or udp) connection back in on an inbound access-list applied to the outside interface? I only know of ICMP and GRE that need to be allowed on both outbound and inbound access-lists for LAN users. If you do not have to for tcp and udp connections, is this because of stateful packet filtering? The PIX knows that it has to allow returning traffic that was initiated from the inside?

4. With CBAC, I have seen simple examples (one ethernet and one serial interface) when creating ip inspection sets, that the lists get applied to the ethernet interface inbound instead of the serial interface outbound. Is this because the conversation needs to be created before CBAC can inspect them?

I know this is a long list. Any help with my questions or verifying my statements would be greatly appreciated.



New Member


The PIX is also a stateful packet filter. It has the ability to look at layer 7 information such as SMTP commands issued to an internal mail server. CBAC and the PIX operate similarly. The configurations look different, but accomplish the same task in a similar fashion. The PIX allows return packets back in based on the state data it built for the outgoing connection. So does CBAC.

Basically, CBAC is fine for small organizations. But for high bandwidth applications, the PIX performs much better. The PIX offers features that IOS routers do not. IOS routers offer features that the PIX does not. You need to evaluate the trade-offs and choose which platform is more appropriate.

A couple examples: The PIX can terminiate VPN 3000 clients, but IOS does not. yet... Both can do site-to-site VPN, but the IOS router can terminate GRE tunnels within IPsec to allow dynamic routing updates to pass over the VPN tunnel. You cannot do that with a PIX.

So basically, the best advice is to buy both. Routers are not the best firewalls and the PIX is a god-awful router. It won't even send ICMP redirect messages for the inside network for example.

I recommend a PIX 506 if you need a basic 2 port firewall for your T1 or DSL. 515 if you need more than 2 interfaces or have more bandwidth.

best of luck!

mike kantowski