Firewall Wizards mailing list archives
Re: Fw: cisco pix does not log traffic targetted to itself?
From: Kevin Steves <stevesk () pobox com>
Date: Wed, 15 Jan 2003 13:53:45 -0800
On Tue, Jan 14, 2003 at 09:40:35AM -0500, Brian Ford wrote:
Maybe I misread the follow up to your original. What version of PIX OS are you using?
Cisco PIX Firewall Version 6.2(1)
You can have one inside interface and one outside interface. The inside is always security level 100. the outside is security level 0. Think of it as "I trust the inside 100%" and "I trust the outside 0%". You can have additional interfaces in many models and these additional interfaces can have the same security level. Say you create DMZ-In and DMZ_Out; and you set both to a security level of 50. In this configuration DMZ_In and DMZ_Out will not pass traffic to one another directly. No matter what ACLS or route you have set up in the PIX. You can make them pass traffic but that traffic would need to leave the PIX and get routed back via an external router.
this is what i was referring to but i had not seen it documented other than the statement in the book i posted earlier. is this type of configuration documented?
Setting up additional interfaces (other than inside and outside) to the same security level is supported by TAC. Dave Chapman ()author of the book your referenced) may have been mistaken there.
thanks, i can send the authors a mail when i understand this a bit more.
The PIX will log traffic all traffic by default sent to the outside interface. Check your log level. The packets get dropped and the PIX issues a log message that a non-IPSec packet was received on the interface. Packets that the PIX processes (i.e. IPSec connections) are also logged.
yes: logging on logging timestamp logging console warnings logging buffered informational interface ethernet0 "outside" is up, line protocol is up Hardware is i82559 ethernet, address is 0004.2746.9d38 IP address 10.251.7.196, subnet mask 255.255.255.240 $ telnet 10.251.7.196 Trying 10.251.7.196... 402106: Rec'd packet not an IPSEC packet. (ip) dest_addr= 10.251.7.196, src_addr= 10.251.7.194, prot= tcp my understanding is that is because telnet to the outside is treated special and requires an IPSec tunnel. however: $ telnet 10.251.7.196 22 Trying 10.251.7.196... for example does not log. nor does any other port i tried. also, not all trafic is dropped by default. icmp is permitted to the outside by default. the documentation for "icmp" says: If no ICMP control list is configured, then the PIX Firewall accepts all ICMP traffic that terminates at any interface (including the outside interface).
Are you trying to log traffic that is sent to the inside interface? In order to do that your would need to violate a security policy. Then that would be logged. A trick I sometimes use to log everything is to create an ACL that permits the types of traffic that I allow through and denies other stuff (rather than a list that contains just deny statements). The PIX will log all ACLs that execute.
these examples are for outside. can you duplicate the results? _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Fw: cisco pix does not log traffic targetted to itself? Brian Ford (Jan 13)
- Re: Fw: cisco pix does not log traffic targetted to itself? Kevin Steves (Jan 14)
- Re: Fw: cisco pix does not log traffic targetted to itself? Brian Ford (Jan 14)
- Re: Fw: cisco pix does not log traffic targetted to itself? Kevin Steves (Jan 15)
- Pix to Vigor VPN Richard Worwood (Jan 17)
- Re: Pix to Vigor VPN Ben Nagy (Jan 20)
- Re: Fw: cisco pix does not log traffic targetted to itself? Brian Ford (Jan 14)
- Re: Fw: cisco pix does not log traffic targetted to itself? Kevin Steves (Jan 14)