Sean Mathias
07-25-2004, 01:41 AM
Primarily because the PIX is a firewall, not a router. What is
fundamental on a router is sorely lacking on the PIX, though it was by
design. Even in more recent code release with the addition of OSPF,
it is still a substandard/partial implementation.
Given its origins and initial design and purpose, it needed the extra
instruction as it was meant as a packet filter, not a packet router.
The PIX, though I do like it, is very limited in my opinion due to its
legacy code base. Let's hope the current trend of moving everything
to IOS hits the PIX soon.
Sean Mathias
CCIE #12779
On 28 Feb 2004 05:36:00 -0800, b_d_low@yahoo.com.au (Ben Low) wrote:
>Just wondering if anyone could shed some light on why the PIX 'route'
>command requires an interface name to be given in addition to the
>next-hop, or vice-versa?
>
>i.e. the Cisco PIX Command Ref 6.3 discusses how a link-local route is
>set, but doesn't really mention why you need the if_name argument. The
>CCSP Cisco Secure PIX Firewall Advanced book (which isn't very
>advanced, btw), notes if_name is "the interface where data leaves
>from".
>
>From my experiments the CSPFA book is correct in that if I say:
>
>ip addr inside 10.0.0.0 255.0.0.0
>ip addr outside 200.200.200.2 255.255.255.0
>
>route inside 0 0 200.200.200.1
>
>then packets are sent out the *inside* interface, and the PIX ARPs for
>200.200.200.1.
>
>So the command does pretty much as it says - but why would you ever
>want to care about forcing the next-hop interface when you've a
>perfectly good route table to hand? (maybe it's too late at night?!)
>
>Ben
Sean Mathias
CCIE #12779
fundamental on a router is sorely lacking on the PIX, though it was by
design. Even in more recent code release with the addition of OSPF,
it is still a substandard/partial implementation.
Given its origins and initial design and purpose, it needed the extra
instruction as it was meant as a packet filter, not a packet router.
The PIX, though I do like it, is very limited in my opinion due to its
legacy code base. Let's hope the current trend of moving everything
to IOS hits the PIX soon.
Sean Mathias
CCIE #12779
On 28 Feb 2004 05:36:00 -0800, b_d_low@yahoo.com.au (Ben Low) wrote:
>Just wondering if anyone could shed some light on why the PIX 'route'
>command requires an interface name to be given in addition to the
>next-hop, or vice-versa?
>
>i.e. the Cisco PIX Command Ref 6.3 discusses how a link-local route is
>set, but doesn't really mention why you need the if_name argument. The
>CCSP Cisco Secure PIX Firewall Advanced book (which isn't very
>advanced, btw), notes if_name is "the interface where data leaves
>from".
>
>From my experiments the CSPFA book is correct in that if I say:
>
>ip addr inside 10.0.0.0 255.0.0.0
>ip addr outside 200.200.200.2 255.255.255.0
>
>route inside 0 0 200.200.200.1
>
>then packets are sent out the *inside* interface, and the PIX ARPs for
>200.200.200.1.
>
>So the command does pretty much as it says - but why would you ever
>want to care about forcing the next-hop interface when you've a
>perfectly good route table to hand? (maybe it's too late at night?!)
>
>Ben
Sean Mathias
CCIE #12779