Security Basics mailing list archives
R: [Fwd: Re: Pix to ASA migration]
From: "Massimo Baschieri" <massimo.baschieri () re-ti it>
Date: Thu, 5 Oct 2006 07:29:01 +0200
This was sent to me off list. I didnt look at the inspect mapping. That also could be a cause.
It could be quite a cause because of other protocols or because of the ips, not because of dns, not in normal condition. Dns inspection is only there to check for abuse of the protocol, not for normal use, dns doesn't need any special treatment by a firewall like ftp or h323 does, it should work like a charm without any inspection. Bye, Tosh. - -------- Original Message -------- Subject: Re: Pix to ASA migration Date: Wed, 04 Oct 2006 04:26:11 -0700 From: Joseph Jenkins <maillist () breathe-underwater com> To: Craig Van Tassle <craig () codestorm org> You have to have to the inspect turned for DNS or it won't work. DNS goes out on one port and then comes back in on another. You have to specifically tell the PIX/ASA how to handle that type of traffic. Here is a cutout of my config with the correct inspect statements: class-map inspection_default match default-inspection-traffic ! ! policy-map asa_global_fw_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp On 10/2/06 2:13 PM, "Craig Van Tassle" <craig () codestorm org> wrote: - --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus - --------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFI71DAOTIJ89W4sIRAtUCAKD3gpaXZ5xSG5NA+aAOeI+fcbQdjgCgsNfO hnUmCGzQskHC/8ZrPxg6AYU= =UX5c -----END PGP SIGNATURE----- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus --------------------------------------------------------------------------- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- [Fwd: Re: Pix to ASA migration] Craig Van Tassle (Oct 04)
- R: [Fwd: Re: Pix to ASA migration] Massimo Baschieri (Oct 05)