Technical argment regarding ethernet/TCPIP

X

XOR != OR

[H]F Junkie
Joined
Jun 17, 2003
Messages
11,547
A friend and I are having an argument about how a pix firewall is or is not a router.

My argument is thus:

1) The firewall takes packets from network A and puts them on network B. That's the definition of a router, therefore it's a router

His argument is this:

1) A router encaps the packets with a new address header at every hop. A pix firewall strips all address information and then encapulates it with address headers

I'm questioning if that's really how routing works, as I had a completely different concept. Anybody care to contribute?
 
A dedicated PIX firewall (what it does) is not routing. It's SPI on the layer 2 and layer 3 levels.

A cisco router running the firewall module for IOS might be more accurate in what your thinking.
 
our firewalls have the capability of running multiple virtual routers within them!
 
XOR != OR said:
His argument is this:

1) A router encaps the packets with a new address header at every hop. A pix firewall strips all address information and then encapulates it with address headers
Click to expand...

I dont understand his point. The router rewrites the MAC address field if simply routing from point A to point B. However, a router performing NAT will change either the source or the destination IP as well. This isn't any different than what a PIX does.

The PIX has routing functionality built into it. It routes between subnets. The PIX can also participate in RIP, OSPF, and EIGRP, all of which are routing processes. In my book, that's what a router does. Granted, the PIX/ASA does not have all the routing features that an ISR does. But an ISR does not have all the security features that an ASA does either. At the most basic level though, I would say that the PIX absolutely performs the basic functions of a router.
 
a pix cannot route a packet out the same interface it was recieved on.

therefor limiting any psudo-routing capability.
 
nosmircss said:
a pix cannot route a packet out the same interface it was recieved on.

therefor limiting any psudo-routing capability.
Click to expand...

'same-security-traffic intra-interface' command enables exactly this. It was introduced in version 7.0(1) of PIX code.
 
You must log in or register to reply here.
Back
Top