Just to throw in a little bit more info..
Theres little comparrison between the two. PIX is more of an address translation unit with firewalling capabilities. Firewall-1 is a fully functional Firewall with limited address translation.
i.e. PIX has a pool of IP addresses.. true address translation. Firewall-1 does address 'hiding' making it look to the external world like all connects come from a single IP.
Actually, hide mode is only one of the options in FW-1. You can do a static one-to-one allocation (but not dynamically).
I tend to prefer to keep routers as routers and firewalls as firewalls, it reduces the CPU overhead, Problem Determination is easier, and configurations are kept in a distinct logical box. Of course this is at the expense of cost, and space.
Agreed...but in certain situations, ie a widely diverse network, to follow this purist paradigm, you really need a separate firewall/ uniquely routed subnet. If someone has a 75XX with a T1 Internet connection, why not let the extra CPU go towards firewall functions. Granted, you are very limited in logging, authentication, and proxies or content monitoring, but such capabilities could be made with proprietary communication to a central firewall/management server...but then you are really straying away from IOS/whatever OS each router uses. In short, if it's built, someone will buy it. Is it enough people to pay for the development/political maneuvering? --------------------------------------------------------------------------- Andrew Smith ** awsmith@neosoft.com ** Network Engineer ** 1-888-NEOSOFT ** "Opportunities multiply as they are seized" - Sun Tzu ** ** http://www.neosoft.com/neosoft/staff/andrew ** ---------------------------------------------------------------------------