|
List Info
Thread: Checkpoint vs. Cisco ASA
|
|
| Checkpoint vs. Cisco ASA |
|
2006-11-22 17:18:58 |
Hi,
Our company is considering replacing our Checkpoint firewall
for a Cisco
ASA-5520 appliance. Does anyone on this list have any
experience with ASA
box, and if so what is your opinion on them. We are
currently running
R55 on our Corrent SR200 appliance, and are looking at
migrating to a Dell
Poweredge 1950 server with R61/R62 (not sure which is best
to go to).
I need some ammunition on pros/cons of Cisco compared to
Checkpoint.
Any information would greatly be appreciated.
Thanks,
Sean
The information contained in this e-mail message is
confidential and
protected by law. The information is intended only for the
person or
organization addressed in this e-mail. If you share or copy
the
information you may be breaking the law. If you have
received this e-mail
by mistake, please notify the sender of the e-mail by the
telephone number
listed on this e-mail. Please destroy the original; do not
e-mail back
the information or keep the original.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|
|
| Checkpoint vs. Cisco ASA |
|
2006-11-22 17:40:41 |
Sean Donaghey/HDGH wrote:
> Hi,
>
> Our company is considering replacing our Checkpoint
firewall for a Cisco
> ASA-5520 appliance. Does anyone on this list have any
experience with ASA
> box, and if so what is your opinion on them. We are
currently running
> R55 on our Corrent SR200 appliance, and are looking at
migrating to a Dell
> Poweredge 1950 server with R61/R62 (not sure which is
best to go to).
>
> I need some ammunition on pros/cons of Cisco compared
to Checkpoint.
>
> Any information would greatly be appreciated.
>
the price/performance of ASA is unbeatable by FW-1 (i mean
for about
8000usd you get an appliance that has no silly users limit,
enough
troughput for a medium company, and supports addons like
ids, vpn
accelerator at a fraction of the cost).
if you like a pretty gui for managing the firewall, cisco
isn't that great.
i would go for cisco without a second thought.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|
|
| Checkpoint vs. Cisco ASA |
|
2006-11-22 18:39:29 |
hi,
I've gone through several painful Checkpoint to Pix
migration
(I consider Pix and ASA the same unless you want to talk
about
the IPS module and WebVPN craps that cisco claimed is a good
addon feature) so I think I can share my all the nightmare
that
I have with you.
1) If you have a fairly simple policy and do not change
the
policy very often, then going to ASA is probably a good
idea. The pix/asa provides higher performance because the
OS
itself is on the flash and that makes it very fast, suitable
for E-commerce applications.
2) Pix/ASA is NOT a router so there are things that you
can
do in Checkpoint that you can not do with Pix/ASA. For
example,
if you have two networks 192.168.1.0/24 and 192.168.2.0/24
and they are both behind the pix firewall. The problem is
that
hosts in network 192.168.1.0/24 can not communicate with
hosts
in network 192.168.2.0/24 due to hairpinning. In other
words,
traffics can not go in and out of the same interface due
to security level on the pix/ASA. Remember, pix is NOT a
router.
3) You can not assign secondary ip addresses on the
ASA/Pix
devices. You will have to use 802.1q for that.
4) Managing the policy on the ASA/Pix is a nightmare
especially
if you have 10 or more physical/logical interfaces. There
is NO revision control so that you can roll back the policy
if needed. Cisco Secuirty Manager (CSM) is piece of junk.
Cisco tries to imitate Provider-1 but it just sucks. Do not
buy it.
5) Cisco ASDM is a major improvement over the old Cisco
PDM but
it is still buggy. I've found several bugs with the latest
version
that cisco has.
6) there is no tool like web visulization tool or
fw1rules.pl for
you to generate security policy in ASA like you currently
have
in Checkpoint.
7) Just keep in mind that Pix is NOT a routing device
while
Nokia IP appliances and SPLAT is. There are things that
you can do with the routing device that you can not do
with
Cisco Pix/ASA.
In summary, unless you have a very good reason to go from
checkpoint to Pix/ASA, do NOT do it. there is no upside to
this.
Well, maybe one. Cisco TAC is about 20 times more superior
than Checkpoint TAC.
Sean Donaghey/HDGH <Sean.DonagheyHDGH.ORG> wrote:
Hi,
Our company is considering replacing our Checkpoint firewall
for a Cisco
ASA-5520 appliance. Does anyone on this list have any
experience with ASA
box, and if so what is your opinion on them. We are
currently running
R55 on our Corrent SR200 appliance, and are looking at
migrating to a Dell
Poweredge 1950 server with R61/R62 (not sure which is best
to go to).
I need some ammunition on pros/cons of Cisco compared to
Checkpoint.
Any information would greatly be appreciated.
Thanks,
Sean
The information contained in this e-mail message is
confidential and
protected by law. The information is intended only for the
person or
organization addressed in this e-mail. If you share or copy
the
information you may be breaking the law. If you have
received this e-mail
by mistake, please notify the sender of the e-mail by the
telephone number
listed on this e-mail. Please destroy the original; do not
e-mail back
the information or keep the original.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection
around
http://mail.yahoo.com
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|
|
| Checkpoint vs. Cisco ASA |
|
2006-11-22 18:49:45 |
Sin,
It is ok for you to drink the cisco Kool Aid but please do
not make statements without
knowing exactly what the requirements might be. Cisco
Pix/ASA performs much
better than Checkpoint BUT there are limitations to what
it can and can not do.
The 7.x code is so unstable that it is not funny. That's
why you see the letter 7.x.x(ED)
for Early Deployment (aka beta) on the 7.x code. Problem
is that ASA appliances run
only on 7.x code with Pix firewall can run on 6.3(5) code
which is GD (General Deployment).
Jeremy,
Unless you have specific reasons to go with Cisco Pix/ASA,
I would recommend that you
stay with Checkpoint. I am NOT a checkpoint fan (I bash
checkpoint on a regular basis
in term of the TAC support) but I have to give credit
where it is due. In term of
firewall management, Checkpoint is the best in the class.
Try to deploy a policy with
20 physical/logical interaces with about 800 rules on the
Pix/ASA device and you will see
what I mean.
Now if you want to migrate from checkpoint to ASA/Pix due
to better TAC support from
Cisco, then I would say "go for it". Otherwise,
stay with Checkpoint.
cisco4ng
sin <sinIMACANDI.NET> wrote:
Sean Donaghey/HDGH wrote:
> Hi,
>
> Our company is considering replacing our Checkpoint
firewall for a Cisco
> ASA-5520 appliance. Does anyone on this list have any
experience with ASA
> box, and if so what is your opinion on them. We are
currently running
> R55 on our Corrent SR200 appliance, and are looking at
migrating to a Dell
> Poweredge 1950 server with R61/R62 (not sure which is
best to go to).
>
> I need some ammunition on pros/cons of Cisco compared
to Checkpoint.
>
> Any information would greatly be appreciated.
>
the price/performance of ASA is unbeatable by FW-1 (i mean
for about
8000usd you get an appliance that has no silly users limit,
enough
troughput for a medium company, and supports addons like
ids, vpn
accelerator at a fraction of the cost).
if you like a pretty gui for managing the firewall, cisco
isn't that great.
i would go for cisco without a second thought.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
---------------------------------
Sponsored Link
Mortgage rates as low as 4.625% - $150,000 loan for $579 a
month. Intro-*Terms
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|
|
| Checkpoint vs. Cisco ASA |
|
2006-11-22 19:51:32 |
Sean,
It looks like Cisco4NG has given you quite a bit of
ammunition for the
fight. I have to agree with him, that Check Point has some
features that
just can't be done with the ASA box without some serious
architecture
changes. In the past, when I've helped customers make the
migration from
Check Point, a couple things always crop up. The first is
that policy
migration doesn't happen without quite a bit of leg work.
The second is
that the amount of time to resolve issues doubles after the
migration
happens. Excluding small IT departments, usually people
have been hired for
their current knowledgebase and they usually know what's
currently in
place. Now you've got to deal with new headaches, and those
just take
longer to work out by everyone involved.
Just to throw some more information your way, take a look at
the Juniper
boxes. They are appliances, and have a GUI editor for
policies (NSM). The
pricing includes support, and on top of that, Juniper
support seems to be
some of the best in the industry.
Jason
>snip
Our company is considering replacing our Checkpoint firewall
for a Cisco
> ASA-5520 appliance. Does anyone on this list have any
experience with ASA
> box, and if so what is your opinion on them. We are
currently running
> R55 on our Corrent SR200 appliance, and are looking at
migrating to a Dell
> Poweredge 1950 server with R61/R62 (not sure which is
best to go to).
>
> I need some ammunition on pros/cons of Cisco compared
to Checkpoint.
>
> Any information would greatly be appreciated.
>
> Thanks,
>
> Sean
>snip
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|
|
| Checkpoint vs. Cisco ASA |
|
2006-11-22 20:23:55 |
Sean,
It looks to me that your checkpoint is NOT an issue. The
issue is that you're trying to
do too much with the Checkpoint firewall (internet access
and site-2-site VPN) on the same
device. What makes you think that you will not run into
issues with the ASA?
Here is what I would do if I were you:
1) separate Internet traffic and site-2-site VPN traffics.
In other words, you use a separate
device (I like Cisco IOS router like the 3745 with
encryption module) so that you can
terminate remote access and site-2-site vpn on the cisco
device). Once the traffics are
decrypted, you can let the checkpoint firewall inspect it.
2) have the checkpoint do stateful inspection and the
router handle vpn traffics. I am willing
to bet if you follow this approach, you will NOT run into
firewall performance issues.
A lot of Cisco SEs are idiots. They can only talk but
when you ask them specific questions,
they don't know sh_t (pardon my language). One of the
reasons that I like about my job
is that whenever I have to make technical recommendations
to our customers, I almost
always have to talk to some SEs from Cisco, and nine of
ten times, I can shut them up
quickly because I know what Cisco Pix/ASA can and can not
do. Somewhere in the
conversation, I also throw in the fact that as a certified
CCIE Security, I know first hand
how difficult it is to manage a Cisco Pix/ASA device.
Cisco makes good networking
products but their security products are lousy.
I think if you prepare yourself with the pro/con of going
to checkpoint to Pix, your
manager will listen to you. The cisco person at your
company, unless he is also
knowlegable with Checkpoint, is in no position to make
recommendations, IMHO.
last but not least, I am also using NetScreen NSM product
from Juniper and I can
say that the product is still buggy. NSM is nothing but
Checkpoint Provider-1 knock-off.
chkp tech <chkptechGMAIL.COM> wrote:
Sean,
It looks like Cisco4NG has given you quite a bit of
ammunition for the
fight. I have to agree with him, that Check Point has some
features that
just can't be done with the ASA box without some serious
architecture
changes. In the past, when I've helped customers make the
migration from
Check Point, a couple things always crop up. The first is
that policy
migration doesn't happen without quite a bit of leg work.
The second is
that the amount of time to resolve issues doubles after the
migration
happens. Excluding small IT departments, usually people have
been hired for
their current knowledgebase and they usually know what's
currently in
place. Now you've got to deal with new headaches, and those
just take
longer to work out by everyone involved.
Just to throw some more information your way, take a look at
the Juniper
boxes. They are appliances, and have a GUI editor for
policies (NSM). The
pricing includes support, and on top of that, Juniper
support seems to be
some of the best in the industry.
Jason
>snip
Our company is considering replacing our Checkpoint firewall
for a Cisco
> ASA-5520 appliance. Does anyone on this list have any
experience with ASA
> box, and if so what is your opinion on them. We are
currently running
> R55 on our Corrent SR200 appliance, and are looking at
migrating to a Dell
> Poweredge 1950 server with R61/R62 (not sure which is
best to go to).
>
> I need some ammunition on pros/cons of Cisco compared
to Checkpoint.
>
> Any information would greatly be appreciated.
>
> Thanks,
>
> Sean
>snip
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
---------------------------------
Sponsored Link
Mortgage rates near 39yr lows. $420,000 Mortgage for
$1,399/mo - Calculate new house payment
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|
|
| Checkpoint vs. Cisco ASA |
|
2006-11-22 21:08:10 |
On 11/22/06, cisco4ng <cisco4ngyahoo.com> wrote:
>
> 2) Pix/ASA is NOT a router so there are things that
you can
> do in Checkpoint that you can not do with Pix/ASA. For
example,
> if you have two networks 192.168.1.0/24 and
192.168.2.0/24
> and they are both behind the pix firewall. The problem
is that
> hosts in network 192.168.1.0/24 can not communicate
with hosts
> in network 192.168.2.0/24 due to hairpinning. In other
words,
> traffics can not go in and out of the same interface
due
> to security level on the pix/ASA.
Do you mean "*same-security-traffic permit
intra-interface" *?
http://www.cisco.com/en/US/pr
oducts/ps6120/products_tech_note09186a0080734db7.shtml
*
*
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|
|
| Checkpoint vs. Cisco ASA |
|
2006-11-22 20:55:30 |
Hi,
I am not saying that we won't have a problem after going to
ASA. I am not
the one suggesting we go to it. By bringing all the
Checkpoint traffic
onto the ASA box, along with all the other traffic, I know
we will have
some kind of traffic issue.
Our Cisco guy, is not the person recommending ASA to my
director (AFAIK),
but I think the vendor is. The vendor is pretty Cisco
certified, and I am
sure that he has his CCIE also, but I am not sure of his
experience with
PIX/ASA. Our Cisco guy has taken the CCNA course (and so
have I over a
year ago), and that is all the experience he has. He has
played with our
current PIX over the last little bit, but nothing much. He
was my
Checkpoint backup at one point, but I pushed him out, as he
was really bad
at it, and I couldn't trust him with anything. I also think
he is the one
giving false information to my director, so he can get back
at me.
I really do not want to look at implementing a Cisco router
for the VPN
stuff right now. That would just fuel the migration to ASA
even more. I
am looking at getting a more powerful server to run Splat on
though, so
firewall performance should improve quite a bit. I have to
change the
hardware, as the current box (Corrent SR200) does not have
any support on
it, as the vendor went out of business this year.
I greatly appreciate your honesty on this, as I need to come
up with
something for my director, and hopefully change his mind on
this once and
for all.
Thanks,
_______________________________________
Sean P. Donaghey
Information Services - Sr. Technical Analyst
Hôtel-Dieu Grace Hospital
1030 Ouellette Avenue
Windsor, Ontario N9A 1E1
Canada
Tel:(519) 973-4411 Ext. 3717
Fax:(519) 255-2206
Email: Sean.Donagheyhdgh.org
cisco4ng <cisco4ngYAHOO.COM>
Sent by: Mailing list for discussion of Firewall-1
<FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM>
11/22/2006 03:35 PM
Please respond to
Mailing list for discussion of Firewall-1
<FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM>
To
FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
cc
Subject
Re: [FW-1] Checkpoint vs. Cisco ASA
Sean,
It looks to me that your checkpoint is NOT an issue. The
issue is that
you're trying to
do too much with the Checkpoint firewall (internet access
and
site-2-site VPN) on the same
device. What makes you think that you will not run into
issues with
the ASA?
Here is what I would do if I were you:
1) separate Internet traffic and site-2-site VPN traffics.
In other
words, you use a separate
device (I like Cisco IOS router like the 3745 with
encryption module) so
that you can
terminate remote access and site-2-site vpn on the cisco
device). Once
the traffics are
decrypted, you can let the checkpoint firewall inspect it.
2) have the checkpoint do stateful inspection and the
router handle vpn
traffics. I am willing
to bet if you follow this approach, you will NOT run into
firewall
performance issues.
A lot of Cisco SEs are idiots. They can only talk but
when you ask them
specific questions,
they don't know sh_t (pardon my language). One of the
reasons that I
like about my job
is that whenever I have to make technical recommendations
to our
customers, I almost
always have to talk to some SEs from Cisco, and nine of
ten times, I can
shut them up
quickly because I know what Cisco Pix/ASA can and can not
do. Somewhere
in the
conversation, I also throw in the fact that as a certified
CCIE
Security, I know first hand
how difficult it is to manage a Cisco Pix/ASA device.
Cisco makes good
networking
products but their security products are lousy.
I think if you prepare yourself with the pro/con of going
to checkpoint
to Pix, your
manager will listen to you. The cisco person at your
company, unless he
is also
knowlegable with Checkpoint, is in no position to make
recommendations,
IMHO.
last but not least, I am also using NetScreen NSM product
from Juniper
and I can
say that the product is still buggy. NSM is nothing but
Checkpoint
Provider-1 knock-off.
chkp tech <chkptechGMAIL.COM> wrote:
Sean,
It looks like Cisco4NG has given you quite a bit of
ammunition for the
fight. I have to agree with him, that Check Point has some
features that
just can't be done with the ASA box without some serious
architecture
changes. In the past, when I've helped customers make the
migration from
Check Point, a couple things always crop up. The first is
that policy
migration doesn't happen without quite a bit of leg work.
The second is
that the amount of time to resolve issues doubles after the
migration
happens. Excluding small IT departments, usually people have
been hired
for
their current knowledgebase and they usually know what's
currently in
place. Now you've got to deal with new headaches, and those
just take
longer to work out by everyone involved.
Just to throw some more information your way, take a look at
the Juniper
boxes. They are appliances, and have a GUI editor for
policies (NSM). The
pricing includes support, and on top of that, Juniper
support seems to be
some of the best in the industry.
Jason
>snip
Our company is considering replacing our Checkpoint firewall
for a Cisco
> ASA-5520 appliance. Does anyone on this list have any
experience with
ASA
> box, and if so what is your opinion on them. We are
currently running
> R55 on our Corrent SR200 appliance, and are looking at
migrating to a
Dell
> Poweredge 1950 server with R61/R62 (not sure which is
best to go to).
>
> I need some ammunition on pros/cons of Cisco compared
to Checkpoint.
>
> Any information would greatly be appreciated.
>
> Thanks,
>
> Sean
>snip
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
---------------------------------
Sponsored Link
Mortgage rates near 39yr lows. $420,000 Mortgage for
$1,399/mo - Calculate
new house payment
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
The information contained in this e-mail message is
confidential and
protected by law. The information is intended only for the
person or
organization addressed in this e-mail. If you share or copy
the
information you may be breaking the law. If you have
received this e-mail
by mistake, please notify the sender of the e-mail by the
telephone number
listed on this e-mail. Please destroy the original; do not
e-mail back
the information or keep the original.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|
|
| Checkpoint vs. Cisco ASA |
|
2006-11-23 01:56:13 |
I am very aware of this command in version 7.2(x). Sadly,
it was not available for me
because some of the my customers are still on 7.1(2) or
lower and version 7.2(x), according
to Cisco, is still buggy.
my 2c
Robby Cauwerts <robbyCAUWERTS.BE> wrote:
On 11/22/06, cisco4ng wrote:
>
> 2) Pix/ASA is NOT a router so there are things that you
can
> do in Checkpoint that you can not do with Pix/ASA. For
example,
> if you have two networks 192.168.1.0/24 and
192.168.2.0/24
> and they are both behind the pix firewall. The problem
is that
> hosts in network 192.168.1.0/24 can not communicate
with hosts
> in network 192.168.2.0/24 due to hairpinning. In other
words,
> traffics can not go in and out of the same interface
due
> to security level on the pix/ASA.
Do you mean "*same-security-traffic permit
intra-interface" *?
http://www.cisco.com/en/US/pr
oducts/ps6120/products_tech_note09186a0080734db7.shtml
*
*
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
---------------------------------
Everyone is raving about the all-new Yahoo! Mail beta.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|
|
| Checkpoint vs. Cisco ASA |
|
2006-11-23 08:17:44 |
Hi all,
1, There is No Software without bug.
2, Try to find out what kind of features would you like to
use and ask
the TAC for version that has the specified features in
stable state.
3, ASA can route back traffic on the same interface. (But,
my point of
view: a firewall should not be a router, they are different
services
that are migrated because of the bloody marketing who create
multifunctional devices without the knowledge of networking!
At the end
there will be the big f*uckin' BOX, that will do everything,
like email
server, firewall, router, web server, application server,
cache engine,
vpn terminator, load balancer, ... EVERYTHING!)
4, The config and the OS management is very fast and easy at
ASA and
PIX.
5, The GUI is sick at ASA and the people also who expect GUI
for a Cisco
product. I do not understand why GUI is so important?...
6, I was drunken and I am reeeeaally sick now  ))
Just another option:
http://www.bala
bit.com/products/zorp/
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM]
On Behalf Of
cisco4ng
Sent: 2006. november 23. 2:56
To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] Checkpoint vs. Cisco ASA
I am very aware of this command in version 7.2(x). Sadly,
it was not
available for me
because some of the my customers are still on 7.1(2) or
lower and
version 7.2(x), according
to Cisco, is still buggy.
my 2c
Robby Cauwerts <robbyCAUWERTS.BE> wrote:
On 11/22/06, cisco4ng wrote:
>
> 2) Pix/ASA is NOT a router so there are things that you
can do in
> Checkpoint that you can not do with Pix/ASA. For
example, if you have
> two networks 192.168.1.0/24 and 192.168.2.0/24 and they
are both
> behind the pix firewall. The problem is that hosts in
network
> 192.168.1.0/24 can not communicate with hosts in
network
> 192.168.2.0/24 due to hairpinning. In other words,
traffics can not go
> in and out of the same interface due to security level
on the pix/ASA.
Do you mean "*same-security-traffic permit
intra-interface" *?
http://www.cisco.com/en/US/products/ps61
20/products_tech_note09186a00807
34db7.shtml
*
*
=================================================
To set vacation, Out-Of-Office, or away messages, send an
email to
LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription
options,
email fw-1-ownerts.checkpoint.com
=================================================
---------------------------------
Everyone is raving about the all-new Yahoo! Mail beta.
=================================================
To set vacation, Out-Of-Office, or away messages, send an
email to
LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription
options,
email fw-1-ownerts.checkpoint.com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|
|
|
|