RE: [fw-wiz] PIX assessment

From: Paul Melson (pmelson_at_gmail.com)
Date: 10/05/05

  • Next message: Mike Meredith: "Re: [fw-wiz] PIX assessment" 
    To: "'vulnerable'" <vulnerable@gmail.com>, <firewall-wizards@honor.icsalabs.com>
Date: Wed, 5 Oct 2005 15:16:31 -0400

    -----Original Message-----
    Subject: [fw-wiz] PIX assessment

    > From reading documentation it is my understanding that if you have traffic
    flowing from
    > inside (higher security level) to dmz (lower security level) interface
    then you will
    > not require either an ACL or a static statement permitting this. However,
    this
    > particular config is declaring transparent static's that the documentation
    I've read
    > says is unnecessary. Any reasons why they may be doing this? I'm going
    through a
    > rather long config (3000+ lines), and running some perl mojo I find that
    there are over
    > 300 statics defined for addresses behind the inside interface. Useless?
    Something
    > that perhaps the PDM does?

    Don't get static statements and access-lists confused. A static, nat, or
    global command is a NAT command and nothing more. It is security-neutral.
    An access-list that is assigned to an interface via an access-group command
    becomes a filter for packets arriving at that interface. An access-list
    without an access-group command can be used to configure VPN tunnels (crypto
    map match) global NAT pools, etc.

    Without seeing the commands in some sort of context, I don't know that they
    are unnecessary, though if there are 300 of them then there may be a more
    efficient way to write them. Maybe you've got some
    safe-for-public-consumption examples you can share?

    > Oh, I've also been trying to track down the latest rev of pixOS 6.3.
    > Can't find it anywhere on cisco's public site.

    Last I checked, it's not public. I believe you will need a CCO login that's
    associated with one or more Cisco products that can run PIX OS. The
    customer should have something like this if they ever had a SmartNet
    contract for their PIX or even registered it. They should still be able to
    download PIX OS updates even if SmartNet has lapsed.

    PaulM

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Mike Meredith: "Re: [fw-wiz] PIX assessment"

    Relevant Pages

    • RE: [fw-wiz] PAT on Cisco PIX 515
      ... Assuming no previous config of any kind: ... access-group acl_outside-in in interface outside ... second internal mail server with a different outward facing IP. ... I've noticed CISCO are fading out the conduit command but i've had a trawl ...
      (Firewall-Wizards)
    • [fw-wiz] PIX and access-lists
      ... - if you wanted traffic from low to high security level to be initiated ... command plus static command typically, ... above - to permit anything) you needed to use the outbound and apply ... access-group outside-acl in interface outside ...
      (Firewall-Wizards)
    • Re: Disable NAT and Access-group
      ... It's not necessary and you should delete this command: ... > For desabling NAT, i use this command: ... > i know that access-group command allow to bind the access-list to the ...
      (comp.security.firewalls)
    • Disable NAT and Access-group
      ... For desabling NAT, i use this command: ... is it necessary to execute "access-group" command in this case? ... i know that access-group command allow to bind the access-list to the ... intreface, but in this case, the Nat process is disabled. ...
      (comp.security.firewalls)
    • Re: Allow all traffic from one external IP inside
      ... Do I need to reenter this one once I add the new commands to refresh it? ... have to re-enter the access-group command. ...
      (comp.dcom.sys.cisco)