Re: [fw-wiz] PIX 515E 7.2 Duplex problem



Thanks for all the input. Problem solved. Both speed and duplex on the
PIX were configured for auto. The device the PIX was connecting to did
not support auto and was set to full/100. If the duplex on the PIX was
forced to full before the speed was forced to 100, the interface would
shut down. But, forcing the PIX interface speed to 100 first and then
forcing the duplex to full works just fine. So, it appears that you
can't leave speed in auto when forcing full duplex on the PIX.



-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of
firewall-wizards-request@xxxxxxxxxxxxxxxxxxxxx
Sent: Monday, April 23, 2007 11:00
To: firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
Subject: firewall-wizards Digest, Vol 12, Issue 12

Send firewall-wizards mailing list submissions to
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@xxxxxxxxxxxxxxxxxxxxx

You can reach the person managing the list at
firewall-wizards-owner@xxxxxxxxxxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: PIX 515E 7.2 Duplex problem (Florin Andrei)
2. Re: PIX 515E 7.2 Duplex problem (Chris Buechler)
3. Tomahawk patch for L3 devices (Kowsik)
4. Re: PIX 515E 7.2 Duplex problem (robbie.jacka@xxxxxxxxxxx)
5. Re: H323 NAT problems with A Cyberguard. (sai)


----------------------------------------------------------------------

Message: 1
Date: Thu, 19 Apr 2007 17:16:44 -0700
From: Florin Andrei <florin@xxxxxxxxxxxxxxx>
Subject: Re: [fw-wiz] PIX 515E 7.2 Duplex problem
To: Firewall Wizards Security Mailing List
<firewall-wizards@xxxxxxxxxxxxxxxxxxxxx>
Message-ID: <4628066C.8060209@xxxxxxxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Drumheller, Michael wrote:
The interface on the PIX shuts down when duplex is changed from auto
to
full. The switch it connects to is configured for full duplex but the

PIX still shows half duplex when in auto negotiate mode. Changing to
half duplex on both the switch and PIX works but the PIX interface
goes
down when it's changed to full duplex. Has anyone else experienced
this
problem?

Sound like a bad interface to me.

I always configure the PIX and the switch to full duplex. Auto creates
problems usually. Just enforce full duplex whenever possible.

--
Florin Andrei

http://florin.myip.org/


------------------------------

Message: 2
Date: Fri, 20 Apr 2007 11:04:51 -0400
From: Chris Buechler <fw-wiz@xxxxxxxxxxxxxxxxx>
Subject: Re: [fw-wiz] PIX 515E 7.2 Duplex problem
To: Firewall Wizards Security Mailing List
<firewall-wizards@xxxxxxxxxxxxxxxxxxxxx>
Message-ID: <4628D693.8020103@xxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Drumheller, Michael wrote:

The interface on the PIX shuts down when duplex is changed from auto
to full. The switch it connects to is configured for full duplex but
the PIX still shows half duplex when in auto negotiate mode.


Of course - when you force one end to full and leave the other on auto,
the auto side ends up half duplex and you end up with a duplex mismatch.

That's what is expected to happen when you misconfigure things like
this. You can't set one side to full and the other on auto.
suggested reading:
http://www.sun.com/blueprints/0704/817-7526.pdf
http://en.wikipedia.org/wiki/Autonegotiation

What if you just set the port and the PIX to auto? I hate seeing
networks where people force duplex, 90% of them I see end up with duplex

mismatches all over because too many people don't understand how
autonegotiation works. Every vendor including Cisco recommends using
auto whenever both ends support it.

It *shouldn't* be an issue to set both ends, and all 515E's should have
only 10/100 ports. But it's not recommended, personally I wouldn't care
why it doesn't work.

You may want to check for a firmware update for your switch regardless.
Since your PIX seems to be on the latest version it should be fine.



------------------------------

Message: 3
Date: Fri, 20 Apr 2007 23:24:43 -0700
From: Kowsik <kowsik@xxxxxxxxx>
Subject: [fw-wiz] Tomahawk patch for L3 devices
To: firewall-wizards@xxxxxxxxxxxxxxxxxx, focus-ids@xxxxxxxxxxxxxxxxx
Message-ID:
<7db9abd30704202324p5e40b700qd14e58d2f35d67c8@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

We just posted a patch for tomahawk (http://tomahawk.sourceforge.net/)
to allow playbacks of pcap's through L3 devices (IP rewriting on
different subnets).

You might find it useful when you are load testing (or amplifying
attacks for) firewalls/IPS/UTM's that operate in L3 mode.

http://labs.musecurity.com/

K.

ps: Posting from my organize-my-mailing-lists-into-labels account
---
Kowsik Guruswamy
Founder/CTO, Mu Security
http://labs.musecurity.com/rss2
http://www.musecurity.com/news/rss.html


------------------------------

Message: 4
Date: Thu, 19 Apr 2007 17:03:37 -0500
From: robbie.jacka@xxxxxxxxxxx
Subject: Re: [fw-wiz] PIX 515E 7.2 Duplex problem
To: mdrumhel@xxxxxxxxxx
Cc: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx, Firewall Wizards
Security Mailing List
<firewall-wizards@xxxxxxxxxxxxxxxxxxxxxxx>
Message-ID:

<OF208A32A5.07B48D58-ON862572C2.0078FFCF-862572C2.00792E8E@xxxxxxxxxxxxx
MSOUTH.COM>

Content-Type: text/plain; charset=us-ascii

Running PIX 7? I've run into this issue when using PIX7 on a 525 using a
straight through cable to a CSS11503. 100FD hardcoded on both ends
results
in the firewall 'negotiating' to half-duplex, but putting both sides in
auto results in 100FD with no issues.
--
robbie





vbwilliams@xxxxxx

.com

Sent by:
To
firewall-wizards- Firewall Wizards Security Mailing

bounces@listserv. List

icsalabs.com
<firewall-wizards@xxxxxxxxxxxxxxxxx
st.com>


cc
04/19/2007 03:27
firewall-wizards@xxxxxxxxxxxxxxxxxx
PM t.com


Subject
Re: [fw-wiz] PIX 515E 7.2 Duplex

Please respond to problem

vbwilliams@xxxxxx

.com; Please

respond to

Firewall Wizards

Security Mailing

List

<firewall-wizards

@listserv.icsalab

s.com>









Only time I've experienced it was when we had a bad NIC. Did you try
doing the same thing on another interface?

----- Original Message -----
From: "Drumheller, Michael" <mdrumhel@xxxxxxxxxx>
Date: Thursday, April 19, 2007 1:05 pm
Subject: [fw-wiz] PIX 515E 7.2 Duplex problem
To: firewall-wizards@xxxxxxxxxxxxxxxxxxxxxxx

The interface on the PIX shuts down when duplex is changed from
auto to
full. The switch it connects to is configured for full duplex but the
PIX still shows half duplex when in auto negotiate mode. Changing to
half duplex on both the switch and PIX works but the PIX interface
goesdown when it's changed to full duplex. Has anyone else
experienced this
problem?



_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards





------------------------------

Message: 5
Date: Sat, 21 Apr 2007 10:39:55 +0500
From: sai <sonicsai@xxxxxxxxx>
Subject: Re: [fw-wiz] H323 NAT problems with A Cyberguard.
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@xxxxxxxxxxxxxxxxxxxxx>
Message-ID:
<41d04d600704202239p1155356cwdee8da6f0cf9875c@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

From what I remember about SIP, you need the firewall to preserve the
source and destination ports. NAT usually changes the source port for
outgoing traffic.



On 4/17/07, David Garrard <david@xxxxxxxxxxxxxxx> wrote:
HI;

I am currently installing a Cyberguard 410 D to sit between a VOIP
server network and a private network. Getting NAT to work is extremely
challenging, has anyone reading this list done this before?





All the best;





David




------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 12, Issue 12
************************************************
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: Cisco PIX 501 Firewall
    ... IT was set to 10 half duplex becaus of my isp restrictions, ... to auto. ... inside interface so we can ignore the outside interface. ... interface ethernet1 "inside" is up, ...
    (comp.dcom.sys.cisco)
  • Re: [fw-wiz] PIX 515E 7.2 Duplex problem
    ... The interface on the PIX shuts down when duplex is changed from auto ... You may want to check for a firmware update for your switch regardless. ...
    (Firewall-Wizards)
  • Re: [fw-wiz] PIX 515E 7.2 Duplex problem
    ... Some of the older PIX boxes only had Ethernet interfaces and not Fast ... Ethernet interface is listed as simply Ethernet or Fast Ethernet. ... The switch it connects to is configured for full duplex but the PIX ...
    (Firewall-Wizards)
  • Re: [fw-wiz] PIX 515E 7.2 Duplex problem
    ... The switch it connects to is configured for full duplex but the ... PIX still shows half duplex when in auto negotiate mode. ... half duplex on both the switch and PIX works but the PIX interface ...
    (Firewall-Wizards)
  • Re: [fw-wiz] PIX 515E 7.2 Duplex problem
    ... auto results in 100FD with no issues. ... The switch it connects to is configured for full duplex but the ... PIX still shows half duplex when in auto negotiate mode. ...
    (Firewall-Wizards)