This section looks into some confusions and commonly asked questions regarding PIX firewall in a question-and-answer format.
Can a PIX firewall function in both transparent and routed modes?
No, it can function either in routed or transparent Mode.
Is load balancing possible with a PIX firewall?
Yes, with Version 7.0, you can configure asymmetric routing with active/active failover setup. However, the load balancing must be configured on upstream or downstream routers.
Is NAT-control turned on by default on PIX firewall?
In PIX Firewall Version 7.0, the NAT-control command is turned off by default, which means that unless there is a matching source/destination NAT statement for the packet, NAT will not occur. However, unlike the older version of the code, if there is no match on the source or destination NAT, the packet will be allowed.
Can non-IP protocols be routed through the PIX firewall?
Yes, other protocols such as Internetwork Packet Exchange [IPX] and AppleTalk can function, but only if you configure transparent firewall, which is new in Version 7.0.
Is it possible to configure a transparent firewall in multiple contexts? If so, are there any restrictions?
Yes, a transparent firewall can be configured in multiple contexts. In both single and multiple contexts, there can be only one inside and one outside interface, unlike the routed mode, in which more than two interfaces are possible. However, in multiple contexts mode with a transparent firewall, you cannot share the same interface into multiple contexts.
Can policing traffic be configured inbound on the PIX firewall?
No. Unlike with routers, only outbound policing is possible on PIX Version 7.0.
Is ESMTP supported through the PIX firewall?
Yes, with Version 7.0, it is possible to send ESMTP traffic across PIX firewall inspected.
Is it possible to pass traffic between equal security level interfaces?
You can permit communication between interfaces with equal security levels by using the following command:
PIX(config)# same-security-traffic permit inter-interface
Is it possible route the packets back to the same interface as PIX learns the packet from?
Yes, permitting traffic in and out of the same interface is possible with the following command:
PIX(config)# same-security-traffic permit intra-interface
Can I configure time-based access-list on the PIX firewall?
Yes, beginning with PIX Firewall Version 7.0, time-based access-lists are available.