RE: [fw-wiz] PIX Logging Analysis

From: Dave Rinker (firewall@dsrtech.com)
Date: 03/06/03

  • Next message: m p: "Re: [fw-wiz] Blocking Peer to peer tools" 
    From: Dave Rinker <firewall@dsrtech.com>
To: firewall-wizards@honor.icsalabs.com
Date: 05 Mar 2003 20:17:23 -0500

    I found ipaudit to be excellent. I deployed one interface on the outside
    of the FW with a loopback host ip and the other to a management
    interface as not to bypass the pix all together (pix 525). then employed
    iptables to block all connections on the outside interface. the box
    still listens to the traffic but drops any connection attempts. this way
    I get to see all the hack attempts on the outside. note you'll need
    either a hub (for the 501) or a switch to span the ports. Cat 2950 does
    not work with this app. I used a cat 3500 but 2912 or 2924 will do as
    well. cat 2950 puts the interface up/down and the box does not see the
    link.

    below are the dynamic and static. I had issues as well. the pix 6.2.2
    code did not accept the pppoe statement at the end of the command
    "ip address outside <ip_address> <mask> pppoe" for me (static). I
    believe it to be related to my ISP as I've removed all the vpdn config
    entries and I still connect with no issues (go figure). if I remember
    correctly I also had an issue with the "setroute" statement and had to
    add a default to get it to work. These both worked with an ADSL
    connection.

    I haven't seen any bugs acknowledged by cisco for the pppoe issues I've
    had but we'll see in the new code if it differs.

    best of luck.

    ********************dynamic********************

    ip address outside pppoe setroute
    !
    vpdn group isp request dialout pppoe
    vpdn group isp localname <username-for-dsl>
    vpdn group isp ppp authentication chap
    vpdn username <username-for-dsl> password <password-for-dsl>
    vpdn enable outside

    *********************static*********************

    PIX Version 6.2(2)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname pix501
    access-list 101 deny ip 0.0.0.0 255.0.0.0 any
    access-list 101 deny ip 127.0.0.0 255.0.0.0 any
    access-list 101 deny ip 10.0.0.0 255.0.0.0 any
    access-list 101 deny ip 192.168.0.0 255.255.0.0 any
    access-list 101 deny ip 169.254.0.0 255.255.0.0 any
    access-list 101 permit tcp any host 1.1.1.1 eq www
    access-list 101 permit tcp any host 1.1.1.1 eq smtp
    !
    interface ethernet0 10baset
    interface ethernet1 10full
    mtu outside 1492
    mtu inside 1500
    ip address outside 1.1.1.1 255.255.255.0
    ip address inside 192.168.0.1 255.255.255.0
    !
    global (outside) 1 interface
    nat (inside) 1 192.168.0.5 255.255.255.255 0 0
    nat (inside) 1 192.168.0.6 255.255.255.255 0 0
    !
    static (inside,outside) tcp interface www 192.168.0.2 www netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface smtp 192.168.0.2 smtp netmask
    255.255.255.255 0 0
    access-group 101 in interface outside
    !
    route outside 0.0.0.0 0.0.0.0 1.1.1.x 1
    !
    vpdn group isp request dialout pppoe
    vpdn group isp localname <username-for-dsl>
    vpdn group isp ppp authentication chap
    vpdn username <username-for-dsl> password <password-for-dsl>
    vpdn enable outside
    : end

    On Wed, 2003-03-05 at 15:03, Paul Stewart wrote:
    > Thanks very much.. I'd love to see a copy of your configs as I'm having
    > problems with 6.2 and DSL right now. I highly agree that even with lots of
    > automation that a human is needed hence why we'll charge a good fee
    > monthly..:) And, thanks for the link to ipaudit.. Sounds like what we're
    > looking for..
    >
    > Take care,
    >
    > ---
    > Paul Stewart
    > Network Solutions Specialist
    > Nexicom Inc.
    > http://www.nexicom.net/
    > (705)932-4127 Office
    > (705)932-2329 Fax
    >

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: m p: "Re: [fw-wiz] Blocking Peer to peer tools"

    Relevant Pages

    • adding a pix to dual router setup
      ... interface FastEthernet0 ... access-list 1 permit 192.168.2.0 0.0.0.255 ... access-list 100 deny ip 192.168.10.0 0.0.0.255 any ...
      (comp.dcom.sys.cisco)
    • Newbie and stuck!
      ... interface ATM0.1 point-to-point ... encapsulation aal5mux ppp dialer ... access-list 100 deny ip 127.0.0.0 0.255.255.255 any ...
      (comp.dcom.sys.cisco)
    • Re: NAT problem on 2620
      ... interface FastEthernet0/0 ... no ip nat outside ... access-list 101 remark DENY RFC 1918 SOURCES ...
      (comp.dcom.sys.cisco)
    • Re: NAT on 2621 more info
      ... description OUTSIDE INTERFACE TO THE INTERNET ... 10 permit ip 12.70.58.128 0.0.0.127 any ... 20 deny ip 172.16.0.0 0.0.15.255 any ...
      (comp.dcom.sys.cisco)
    • Cisco 857w Wireless problem
      ... interface ATM0.1 point-to-point ... access-list 1 permit 10.0.0.0 0.0.0.255 ... access-list 100 deny ip 127.0.0.0 0.255.255.255 any ...
      (comp.dcom.sys.cisco)