Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Cisco PIX open ports on outside interface?

From: "istong" <istong () zuniversity com>
Date: Sat, 9 Dec 2000 18:37:47 -0500
Last I checked the default is to deny all and you explicit specify what to
permit.  I have only been able to manage PIX systems from an inside
interface (even after specifying a telnet outside command).  Based on your
conduit permit or access-list scenario below you should be fine.  No telnet
from the outside.

One interesting side note is the addition of being able to SSH to the PIX.
This has been added in the 5.2x code release.  I can't use it though as it
is limited to basic setups and not advanced ones like I implement.  Beware
of the 5.2x code as there is a bug which breaks the alias command.  We use
the alias command on the PIX to rewrite DNS entries so we can access
internal systems that have a public DNS entry.  Without it you would do a
DNS lookup on system () yourdomain com and it would return the public address
to you.  But with you and the system behind the firewall - you will never
get to it using it's public address.

FYI,

Ian

----- Original Message -----
From: "Smith, Gary (SCOTAM)" <gary.smith () ScottishAmicable co uk>
To: <firewall-wizards () nfr com>
Sent: Tuesday, December 05, 2000 11:21 AM
Subject: [fw-wiz] Cisco PIX open ports on outside interface?



All:

I have an acl on the outside interface of a pix that allows:

80 & 443 to a web server on the DMZ
25 to a mail server on the DMZ

and then has an explicit deny ip any any rule.

When a security company ran a strobe against the outside interface they
claim that both Telnet and Cisco Secure Telnet were open on the outside
interface (although they couldn't connect) and I have also verified that
port 80 is open with the following returned after a get /

<!-- $ID: file://depot/prod/ontap/Rbrutus/prod/netcache/errors/500.html#1

$ -->


I couldn't verify the telnet ports were open (though I don't know what

they

used to test, I used netcat), we do have remote administration enabled but

I

remember reading somewhere that this was only on the inside interface
(though this might be version 4.x.x documentation).

Should any ports be open on the outside interface by default?  Where is

this

documented?

Any and all help gratefully received.

--Gary;




**********************************************************************
Information contained herein is the sole responsibility of the Individual
sending the message. No responsibility is admitted by Scottish Amicable
for any loss or damage incurred through use of the email. In addition, no
statement should be construed as giving investment advice within or
outside the United Kingdom.
An email reply to this address may be subject to interception or

monitoring

for operational reasons or for lawful business practices.
*********************************************************************

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: