Re: [fw-wiz] PIX assessment

From: Nate Itkin (firewall-wizards_at_konadogs.net)
Date: 10/05/05

  • Next message: Paul Melson: "RE: [fw-wiz] Different Authentication For vpngroups On PIX" 
    To: firewall-wizards@honor.icsalabs.com
Date: Wed, 5 Oct 2005 09:13:44 -1000

    > On Mon, Sep 26, 2005 at 06:43:56AM -0700, vulnerable wrote:
    > hello all.
    > I'm doing an assessment on the config of a pix running 6.3. Me not
    > being much of a pix expert have a few questions.
    > From reading documentation it is my understanding that if you have
    > traffic flowing from inside (higher security level) to dmz (lower
    > security level) interface then you will not require either an ACL or a
    > static statement permitting this.

    By default, all connections initiated on a network with a higher security
    level are allowed out, and you configure any restrictions required.

    > However, this particular config is
    > declaring transparent static's that the documentation I've read says
    > is unnecessary. Any reasons why they may be doing this? I'm going
    > through a rather long config (3000+ lines), and running some perl mojo
    > I find that there are over 300 statics defined for addresses behind
    > the inside interface. Useless? Something that perhaps the PDM does?

    The static command creates a one-to-one address translation rule (called
    a static translation slot or "xlate"). Translation slots do not permit
    or deny traffic. The default ACL that permits all connections initiated
    on a network with a higher security level allows the traffic to pass. The
    translation slots may have been created to map specific hosts and/or ports
    on the higher security interface(s) to specific hosts and/or ports on the
    lower security interface(s).

    > Oh, I've also been trying to track down the latest rev of pixOS 6.3.
    > Can't find it anywhere on cisco's public site.

    You get to pay Cisco unless you have a maintenance contract.

    > Also, I've been using the enterastream documentation (1) as a
    > reference, is there anything else out there that is worth looking at?
    > 1) http://www.enterastream.com/whitepapers/cisco/pix/pix-practical-guide.html

    Manuals for the PIX Firewall Software can be found here:

    http://www.cisco.com/en/US/products/sw/secursw/ps2120/tsd_products_support_series_home.html

    - Nate Itkin
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Paul Melson: "RE: [fw-wiz] Different Authentication For vpngroups On PIX"

    Relevant Pages

    • Re: PIX 506 & routing
      ... You probably cannot do -exactly- what you are asking in PIX 5 or PIX 6. ... traffic only according to the destination IP. ... you can also selectively static incoming ... you must convert all of your other statics ...
      (comp.dcom.sys.cisco)
    • RE: [fw-wiz] pix nat question
      ... You just have to think like a PIX. ... If you want it to appear this way on the inside network, you need to create a global for the DMZ network, and then a static, like so: ... > statics with acl's ...
      (Firewall-Wizards)
    • Re: Inside access to DMZ
      ... is connected to the PIX 515E and forwards all IP's to it. ... DMZ1 (REAL DMZ IP) ... I can't access from inside to the DMZ1. ... You don't need statics to get to the DMZ from the inside. ...
      (comp.dcom.sys.cisco)
    • Re: PIX configuration
      ... Statics are used to let a lower security ... > to another address on a higher security interface (the two addresses can ... If you do not have a static, the pix will ... > drop the packets without blinking an eye - this is what's happening to ...
      (comp.security.firewalls)