Firewall Wizards mailing list archives

RE: PIX assessment

From: "Paul Melson" <pmelson () gmail com>
Date: Wed, 5 Oct 2005 15:16:31 -0400

-----Original Message-----
Subject: [fw-wiz] PIX assessment

From reading documentation it is my understanding that if you have traffic

flowing from

inside (higher security level) to dmz (lower security level) interface

then you will

not require either an ACL or a static statement permitting this.  However,

this

particular config is declaring transparent static's that the documentation

I've read

says is unnecessary.  Any reasons why they may be doing this?  I'm going

through a

rather long config (3000+ lines), and running some perl mojo I find that

there are over

300 statics defined for addresses behind the inside interface.  Useless?

Something

that perhaps the PDM does?


Don't get static statements and access-lists confused.  A static, nat, or
global command is a NAT command and nothing more.  It is security-neutral.
An access-list that is assigned to an interface via an access-group command
becomes a filter for packets arriving at that interface.  An access-list
without an access-group command can be used to configure VPN tunnels (crypto
map match) global NAT pools, etc.

Without seeing the commands in some sort of context, I don't know that they
are unnecessary, though if there are 300 of them then there may be a more
efficient way to write them.  Maybe you've got some
safe-for-public-consumption examples you can share?

Oh, I've also been trying to track down the latest rev of pixOS 6.3. 
Can't find it anywhere on cisco's public site.


Last I checked, it's not public.  I believe you will need a CCO login that's
associated with one or more Cisco products that can run PIX OS.  The
customer should have something like this if they ever had a SmartNet
contract for their PIX or even registered it.  They should still be able to
download PIX OS updates even if SmartNet has lapsed.

PaulM

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

PIX assessment vulnerable (Oct 05)
- Re: PIX assessment Nate Itkin (Oct 06)
- RE: PIX assessment Paul Melson (Oct 06)
- Re: PIX assessment Mike Meredith (Oct 12)