Re: Fw: cisco pix does not log traffic targetted to itself?

[Kevin Steves <stevesk () pobox com>]

On Tue, Jan 14, 2003 at 09:40:35AM -0500, Brian Ford wrote:
> Maybe I misread the follow up to your original.  What version of PIX OS are 
> you using?

Cisco PIX Firewall Version 6.2(1)

> You can have one inside interface and one outside interface.  The inside is 
> always security level 100.  the outside is security level 0.  Think of it 
> as "I trust the inside 100%" and "I trust the outside 0%".
>
> You can have additional interfaces in many models and these additional 
> interfaces can have the same security level.  Say you create DMZ-In and 
> DMZ_Out; and you set both to a security level of 50.  In this configuration 
> DMZ_In and DMZ_Out will not pass traffic to one another directly.  No 
> matter what ACLS or route you have set up in the PIX.  You can make them 
> pass traffic but that traffic would need to leave the PIX and get routed 
> back via an external router.

this is what i was referring to but i had not seen it documented other
than the statement in the book i posted earlier.  is this type of
configuration documented?

> Setting up additional interfaces (other than inside and outside) to the 
> same security level is supported by TAC.  Dave Chapman ()author of the book 
> your referenced) may have been mistaken there.

thanks, i can send the authors a mail when i understand this a bit
more.

> The PIX will log traffic all traffic by default sent to the outside 
> interface.  Check your log level. The packets get dropped and the PIX 
> issues a log message that a non-IPSec packet was received on the 
> interface.  Packets that the PIX processes (i.e. IPSec connections) are 
> also logged.

yes:

logging on
logging timestamp
logging console warnings
logging buffered informational

interface ethernet0 "outside" is up, line protocol is up
  Hardware is i82559 ethernet, address is 0004.2746.9d38
  IP address 10.251.7.196, subnet mask 255.255.255.240

$ telnet 10.251.7.196
Trying 10.251.7.196...

402106: Rec'd packet not an IPSEC packet. (ip) dest_addr= 10.251.7.196, src_addr= 10.251.7.194, prot= tcp

my understanding is that is because telnet to the outside is treated
special and requires an IPSec tunnel.

however:

$ telnet 10.251.7.196 22
Trying 10.251.7.196...

for example does not log.  nor does any other port i tried.

also, not all trafic is dropped by default.  icmp is permitted to the
outside by default.

the documentation for "icmp" says:

If no ICMP control list is configured, then the PIX Firewall accepts
all ICMP traffic that terminates at any interface (including the
outside interface).

> Are you trying to log traffic that is sent to the inside interface?  In 
> order to do that your would need to violate a security policy.  Then that 
> would be logged.
>
> A trick I sometimes use to log everything is to create an ACL that permits 
> the types of traffic that I allow through and denies other stuff (rather 
> than a list that contains just deny statements).  The PIX will log all ACLs 
> that execute.

these examples are for outside.

can you duplicate the results?
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards