The Cisco PIX is capable of stateful inspection. I would have to say that working with a pix via the command line is not the most pleasant experience. It lacks rule reordering without a complete reload of the config via tftp or cut-and-paste and also lacks many if the targets available to iptables. Its NAT capability is very basic since it uses the security level per interface approach. One of my biggest complaints with the pix is that it lacks the ability to to dnat based on the ip and port. It can only do dnat with a one to one approach. Finally if that wasn't enough you can't even do some of the basic routing tricks you can do with a cisco router.=20 On the flip side it does support websense (url blocking software) and its syntax for configuration is like cisco ios so that makes it easy for the CCIEs to use it. There is a java based web configuration screen but it is not near as nice as say a checkpoint fw1 or netscreen system. On Wed, 2002-10-16 at 15:54, =DDhsan Turkmen wrote: > Hi.. > I am using netfilter (iptables) for about 5 months time, and like it very > much. When it comes to comparison to other vendor solutions, I would alw= ays > be in favour of iptables because it will be one and maybe the only firewa= ll > in the future.It deserves this reputation even today. >=20 > I am expected to CONVINCE one of my personal customers to give up buying = PIX > and use iptables instead. Since, I did not have personal experience with > PIX, I am not armored with necessary information that will be needed for > such a duty. I once heard it was not a statefull firewall, but a packet > filter only. Can u give me a comparision table , or links about this issu= e?. > Please answer to my e-mail becouse I am not a member of the list. >=20 > Best regards.. >=20 > Ihsan Turkmen >=20 > =20 >=20
