Firewall Wizards mailing list archives
RE: PIX assessment
From: "Paul Melson" <pmelson () gmail com>
Date: Wed, 5 Oct 2005 15:16:31 -0400
-----Original Message----- Subject: [fw-wiz] PIX assessment
From reading documentation it is my understanding that if you have traffic
flowing from
inside (higher security level) to dmz (lower security level) interface
then you will
not require either an ACL or a static statement permitting this. However,
this
particular config is declaring transparent static's that the documentation
I've read
says is unnecessary. Any reasons why they may be doing this? I'm going
through a
rather long config (3000+ lines), and running some perl mojo I find that
there are over
300 statics defined for addresses behind the inside interface. Useless?
Something
that perhaps the PDM does?
Don't get static statements and access-lists confused. A static, nat, or global command is a NAT command and nothing more. It is security-neutral. An access-list that is assigned to an interface via an access-group command becomes a filter for packets arriving at that interface. An access-list without an access-group command can be used to configure VPN tunnels (crypto map match) global NAT pools, etc. Without seeing the commands in some sort of context, I don't know that they are unnecessary, though if there are 300 of them then there may be a more efficient way to write them. Maybe you've got some safe-for-public-consumption examples you can share?
Oh, I've also been trying to track down the latest rev of pixOS 6.3. Can't find it anywhere on cisco's public site.
Last I checked, it's not public. I believe you will need a CCO login that's associated with one or more Cisco products that can run PIX OS. The customer should have something like this if they ever had a SmartNet contract for their PIX or even registered it. They should still be able to download PIX OS updates even if SmartNet has lapsed. PaulM _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX assessment vulnerable (Oct 05)
- Re: PIX assessment Nate Itkin (Oct 06)
- RE: PIX assessment Paul Melson (Oct 06)
- Re: PIX assessment Mike Meredith (Oct 12)