Re: [fw-wiz] PIX assessment
From: Nate Itkin (firewall-wizards_at_konadogs.net)
To: email@example.com Date: Wed, 5 Oct 2005 09:13:44 -1000
> On Mon, Sep 26, 2005 at 06:43:56AM -0700, vulnerable wrote:
> hello all.
> I'm doing an assessment on the config of a pix running 6.3. Me not
> being much of a pix expert have a few questions.
> From reading documentation it is my understanding that if you have
> traffic flowing from inside (higher security level) to dmz (lower
> security level) interface then you will not require either an ACL or a
> static statement permitting this.
By default, all connections initiated on a network with a higher security
level are allowed out, and you configure any restrictions required.
> However, this particular config is
> declaring transparent static's that the documentation I've read says
> is unnecessary. Any reasons why they may be doing this? I'm going
> through a rather long config (3000+ lines), and running some perl mojo
> I find that there are over 300 statics defined for addresses behind
> the inside interface. Useless? Something that perhaps the PDM does?
The static command creates a one-to-one address translation rule (called
a static translation slot or "xlate"). Translation slots do not permit
or deny traffic. The default ACL that permits all connections initiated
on a network with a higher security level allows the traffic to pass. The
translation slots may have been created to map specific hosts and/or ports
on the higher security interface(s) to specific hosts and/or ports on the
lower security interface(s).
> Oh, I've also been trying to track down the latest rev of pixOS 6.3.
> Can't find it anywhere on cisco's public site.
You get to pay Cisco unless you have a maintenance contract.
> Also, I've been using the enterastream documentation (1) as a
> reference, is there anything else out there that is worth looking at?
> 1) http://www.enterastream.com/whitepapers/cisco/pix/pix-practical-guide.html
Manuals for the PIX Firewall Software can be found here:
- Nate Itkin
firewall-wizards mailing list