Firewall Wizards mailing list archives

Re: PIX assessment

From: Nate Itkin <firewall-wizards () konadogs net>
Date: Wed, 5 Oct 2005 09:13:44 -1000

On Mon, Sep 26, 2005 at 06:43:56AM -0700, vulnerable wrote:
hello all.
I'm doing an assessment on the config of a pix running 6.3.  Me not
being much of a pix expert have a few questions.
From reading documentation it is my understanding that if you have
traffic flowing from inside (higher security level) to dmz (lower
security level) interface then you will not require either an ACL or a
static statement permitting this.


By default, all connections initiated on a network with a higher security 
level are allowed out, and you configure any restrictions required.

However, this particular config is
declaring transparent static's that the documentation I've read says
is unnecessary.  Any reasons why they may be doing this?  I'm going
through a rather long config (3000+ lines), and running some perl mojo
I find that there are over 300 statics defined for addresses behind
the inside interface.  Useless?  Something that perhaps the PDM does?


The static command creates a one-to-one address translation rule (called 
a static translation slot or "xlate").  Translation slots do not permit 
or deny traffic.  The default ACL that permits all connections initiated 
on a network with a higher security level allows the traffic to pass. The 
translation slots may have been created to map specific hosts and/or ports 
on the higher security interface(s) to specific hosts and/or ports on the 
lower security interface(s).

Oh, I've also been trying to track down the latest rev of pixOS 6.3. 
Can't find it anywhere on cisco's public site.


You get to pay Cisco unless you have a maintenance contract.

Also, I've been using the enterastream documentation (1) as a
reference, is there anything else out there that is worth looking at?
1) http://www.enterastream.com/whitepapers/cisco/pix/pix-practical-guide.html


Manuals for the PIX Firewall Software can be found here:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/tsd_products_support_series_home.html

- Nate Itkin
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

PIX assessment vulnerable (Oct 05)
- Re: PIX assessment Nate Itkin (Oct 06)
- RE: PIX assessment Paul Melson (Oct 06)
- Re: PIX assessment Mike Meredith (Oct 12)