Firewall Wizards mailing list archives
Re: PIX assessment
From: Nate Itkin <firewall-wizards () konadogs net>
Date: Wed, 5 Oct 2005 09:13:44 -1000
On Mon, Sep 26, 2005 at 06:43:56AM -0700, vulnerable wrote: hello all. I'm doing an assessment on the config of a pix running 6.3. Me not being much of a pix expert have a few questions. From reading documentation it is my understanding that if you have traffic flowing from inside (higher security level) to dmz (lower security level) interface then you will not require either an ACL or a static statement permitting this.
By default, all connections initiated on a network with a higher security level are allowed out, and you configure any restrictions required.
However, this particular config is declaring transparent static's that the documentation I've read says is unnecessary. Any reasons why they may be doing this? I'm going through a rather long config (3000+ lines), and running some perl mojo I find that there are over 300 statics defined for addresses behind the inside interface. Useless? Something that perhaps the PDM does?
The static command creates a one-to-one address translation rule (called a static translation slot or "xlate"). Translation slots do not permit or deny traffic. The default ACL that permits all connections initiated on a network with a higher security level allows the traffic to pass. The translation slots may have been created to map specific hosts and/or ports on the higher security interface(s) to specific hosts and/or ports on the lower security interface(s).
Oh, I've also been trying to track down the latest rev of pixOS 6.3. Can't find it anywhere on cisco's public site.
You get to pay Cisco unless you have a maintenance contract.
Also, I've been using the enterastream documentation (1) as a reference, is there anything else out there that is worth looking at? 1) http://www.enterastream.com/whitepapers/cisco/pix/pix-practical-guide.html
Manuals for the PIX Firewall Software can be found here: http://www.cisco.com/en/US/products/sw/secursw/ps2120/tsd_products_support_series_home.html - Nate Itkin _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX assessment vulnerable (Oct 05)
- Re: PIX assessment Nate Itkin (Oct 06)
- RE: PIX assessment Paul Melson (Oct 06)
- Re: PIX assessment Mike Meredith (Oct 12)