Is it still very counter intuitive to set up a PIX to _not_ do the eevul NAT? Is the PIX no longer PeeCee hardware underneath (I know they got rid of the HDD) so not as to bring NOs down to the level of the great unwashed throngs of desktop users?
Of course, PIX is still a CISCO - this means _configure it by cisco's example and modify, do not write out configuration from the scratch_ (Cisco have a very bold history of different bugs and behaviours, such as 'VoIP requires 'ip routing' on 36xx and 53xx'). But, after all, it works without major problems, and became very easy to manage (I have automatic configuration repository with web interface, CVSWEB archive, and so on - and it always take 1 minute to save config, check config, check changes happen during last week, revert configuration back, even to update PIX OS in redundant environment). For Checkpont owners (we have some legacy in company), it is a very complicated (often impossible) process. Security advisories are another issue, but I'd expect more about Checkpoint, stating that it is based on general OS.
Globalstar Communications (408) 933-4387