RE: [fw-wiz] disable stateful firewall on PIX?

Sorry been busy but I have not seen anyone respond to this so I will give my
2 cents.

There is not a way to disable the pix from being stateful. Essentially what
you are doing with this type routing is turning them into packet filtering
devices, since the states are no longer being used for the TCP sessions.
Your leading options probably would be to 1) Do a Permit any any (oh just
the sight of a permit any any makes me cringe) on the pixs and then
implement your packet filtering on the next hop routers acls or 2) rework
the access-list on your exterior interfaces of the pixs (depending on the
type of traffic that exits your network) so that they would be an packet
filtering since the return traffic will not have any intial SYNs to look for
(Just like router acls without the established command appended).

The main concern here is your return traffic, since this is what will get
blocked. Just make sure you don't have any ip verify reverse paths
implemented on any network equipment (including firewalls) and log log log
(at least level 6). Also if you do the asymmetrical routing, which I
recommend you do not by the way (IMHO), watch you embryonic sessions on the
pix and reduce your timeout sessions so that you don't kill your pix's.
Good luck and I hope this helps.

Kevin



-----Original Message-----
From: firewall-wizards-admin@xxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-admin@xxxxxxxxxxxxxxxxxx] On Behalf Of Adam Greene
Sent: Thursday, April 13, 2006 1:30 PM
To: firewall-wizards@xxxxxxxxxxxxxxxxxx
Subject: [fw-wiz] disable stateful firewall on PIX?

Hi,

We have to run asymmetrical routing on a couple of IP blocks for a couple of
days (i.e. traffic will exit one end of our autonomous system and enter at
the other end). Both ends are protected by PIX-515's (IOS 6.3(4) and
6.3(3)).

Is there a way to temporarily disable stateful features on the PIXes for
these specific IP blocks? Pounding our heads against CCO has not yet yielded
any constructive results.

Thanks,
Adam

P.S. apologies to anyone subscribed to cisco-nsp for the cross-post

---
[This e-mail was scanned for viruses by our AntiVirus Protection System]

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • RE: client firewall recommendations
    ... sessions, throughput, number of user that can be behind it... ... session to kill a linksys and/or dlink SOHO boxe. ... I would recommand either a PIX 501 or Netscreen. ... >Subject: client firewall recommendations ...
    (Security-Basics)
  • Re: PIX issue
    ... I agree that the Netscreen interface is nice, but no where near as beautiful as CheckPoint. ... As for the statement that "PIX really only does packet filtering" it is simply untrue. ... The contents of this message are to be used for the intended purpose only and are to be kept confidential at all times. ...
    (Security-Basics)
  • Re: Maximum active IPSec sessions
    ... :limit of active IPSec sessions that terminate on a PIX. ... If you were using RADIUS/TACACS+ to authenticate the sessions, ... Goedel's Mail Filter Incompleteness Theorem: ... email filtering algorithms, there exists at least one spam message ...
    (comp.dcom.sys.cisco)
  • Open ports in ISA after PIX...
    ... the ISA server perimeter. ... PIX guy had disabled one of the NIC's so essentially packet filtering was ... Anyway, we needed to open access up to port 8051 on a website, and when we ...
    (microsoft.public.isa)
  • Re: PIX 525 performance with >30Mb per second on outside/inside
    ... We had a look a PIX 5 hundred series, for something like 150 Mbit/s ... Cisco didn't answer. ... at 5K sessions there is a traffic at 25K sessions there ...
    (comp.security.firewalls)
Quantcast