Calling all CISCO gurus - PDM Question

Will PDM allow me to do everything to control this firewall ?
Or are cetain things only really done via command line ?


I'm possibly interested in a Pix vs. Netscreen, but there is no PDM
demo to allow me to see if it will allow me to create simple rules
like 1-1 nat, open services, etc via PDM.......I don't know Cisco
shell commands.

 

You subject line and body are somewhat of an oxymoron. CISCO gurus don't
use PDM, therefor they will be unable to answer you question.

Fortunately I'm not a Cisco guru so I can attempt an answer. You can do
pretty much all of the basic tasks with PDM.

--Mike

 

I will echo Mike's comments with one addition. It's clearly obvious that
PDM is written by cicso gurus who don't use PDM or any other GUI config
tool. PDM, as compared to other web based config tools for competitive
products, is convoluted to say the least. I just setup a 501 for a small
company and where I was able to do everything in PDM it took a while to
figure out exactly what needed to be done and where to go to do it. It was
helpful to learn the script commands so I could trouble shoot the config
written by PDM, figure out where it was wrong, and then go back to PDM to
figure out how to do it right.

With that said, I was able to get the 501 up and running the way I needed
but it took me twice as long as I think it should have even considering that
it was all new to me when I started. However, now that I've gone through
that learning curve, I wouldn't hesitate to recommend and/or install another
one. Fact is the PIX far more configurable then other firewall appliances
I've worked with but that configurability come with the price of complexity.

 

I only recommend that those who aren't comfortable with the cli, make minor
configuration adjustments via the pdm. The pdm is limited in that most
consider it a secondary configuration mechanism. I have seen instances
where the pdm can hang a pix. One client that I have has a need for the
alias command to translate dns. They only have a single external ip address
so the dns keyword in a static will not work. The pdm doesn't recognize the
command and pix freezes. No traffic can pass. Also, it can be a pain to
change subnet via pdm. It will complain that the dhcp scope doesn't match
and refuse to make the change. I think the pdm is good only for permitting
on site admins to make minor configuration changes after the initial
installation.

Most other vendors utilize web management as their primary means of
administration and therefore are more complete in functionality.

 

:Will PDM allow me to do everything to control this firewall ?

No.

:Or are cetain things only really done via command line ?

Yes.


:I'm possibly interested in a Pix vs. Netscreen, but there is no PDM
:demo to allow me to see if it will allow me to create simple rules
:like 1-1 nat, open services, etc via PDM.......

PDM can do that.

:I don't know Cisco shell commands.

The PIX uses a different command language than the Cisco CatOS switches
or the Cisco IOS routers or switches. IOS is slightly closer, but
that's not going to matter to you.


I would point out that a GUI is a different form of command language,
in which the verbs are mouse clicks, and the relantionships
between the parts of the language are indicated by positional information.

(English uses positional information too. "Dog bites man" is different
than "Man bites dog", whereas in Latin and [I have read] German,
the modifiers on the words control the relationship between the words.]

I would claim that learning that one has to go to the top of the
screen, click on Tools, click on Options, wait, click on the General
tab of the page that comes up, and click on the button "Empty cache now"
involves mental effort comparable to learning to type "clear disk cache".
But once you know what you are doing, automating "clear disk cache"
is usually much easier than automating a bunch of click-and-waits.