Firewall Wizards mailing list archives
Re: Cisco PIX open ports on outside interface?
From: "istong" <istong () zuniversity com>
Date: Sat, 9 Dec 2000 18:37:47 -0500
Last I checked the default is to deny all and you explicit specify what to permit. I have only been able to manage PIX systems from an inside interface (even after specifying a telnet outside command). Based on your conduit permit or access-list scenario below you should be fine. No telnet from the outside. One interesting side note is the addition of being able to SSH to the PIX. This has been added in the 5.2x code release. I can't use it though as it is limited to basic setups and not advanced ones like I implement. Beware of the 5.2x code as there is a bug which breaks the alias command. We use the alias command on the PIX to rewrite DNS entries so we can access internal systems that have a public DNS entry. Without it you would do a DNS lookup on system () yourdomain com and it would return the public address to you. But with you and the system behind the firewall - you will never get to it using it's public address. FYI, Ian ----- Original Message ----- From: "Smith, Gary (SCOTAM)" <gary.smith () ScottishAmicable co uk> To: <firewall-wizards () nfr com> Sent: Tuesday, December 05, 2000 11:21 AM Subject: [fw-wiz] Cisco PIX open ports on outside interface?
All: I have an acl on the outside interface of a pix that allows: 80 & 443 to a web server on the DMZ 25 to a mail server on the DMZ and then has an explicit deny ip any any rule. When a security company ran a strobe against the outside interface they claim that both Telnet and Cisco Secure Telnet were open on the outside interface (although they couldn't connect) and I have also verified that port 80 is open with the following returned after a get / <!-- $ID: file://depot/prod/ontap/Rbrutus/prod/netcache/errors/500.html#1
$ -->
I couldn't verify the telnet ports were open (though I don't know what
they
used to test, I used netcat), we do have remote administration enabled but
I
remember reading somewhere that this was only on the inside interface (though this might be version 4.x.x documentation). Should any ports be open on the outside interface by default? Where is
this
documented? Any and all help gratefully received. --Gary; ********************************************************************** Information contained herein is the sole responsibility of the Individual sending the message. No responsibility is admitted by Scottish Amicable for any loss or damage incurred through use of the email. In addition, no statement should be construed as giving investment advice within or outside the United Kingdom. An email reply to this address may be subject to interception or
monitoring
for operational reasons or for lawful business practices. ********************************************************************* _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Cisco PIX open ports on outside interface? Smith, Gary (SCOTAM) (Dec 08)
- Re: Cisco PIX open ports on outside interface? Fabio Pietrosanti (naif) (Dec 10)
- Re: Cisco PIX open ports on outside interface? istong (Dec 12)
- <Possible follow-ups>
- RE: Cisco PIX open ports on outside interface? Smith, Gary (SCOTAM) (Dec 12)