Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: disable stateful firewall on PIX?

From: "Horvath, Kevin M." <KEVIN.M.HORVATH () saic com>
Date: Wed, 26 Apr 2006 09:36:03 -0400
Sorry been busy but I have not seen anyone respond to this so I will give my
2 cents.

There is not a way to disable the pix from being stateful.  Essentially what
you are doing with this type routing is turning them into packet filtering
devices, since the states are no longer being used for the TCP sessions.
Your leading options probably would be to 1) Do a Permit any any (oh just
the sight of a permit any any makes me cringe) on the pixs and then
implement your packet filtering on the next hop routers acls or 2) rework
the access-list on your exterior interfaces of the pixs (depending on the
type of traffic that exits your network) so that they would be an packet
filtering since the return traffic will not have any intial SYNs to look for
(Just like router acls without the established command appended). 

 The main concern here is your return traffic, since this is what will get
blocked.  Just make sure you don't have any ip verify reverse paths
implemented on any network equipment (including firewalls) and log log log
(at least level 6).  Also if you do the asymmetrical routing, which I
recommend you do not by the way (IMHO),  watch you embryonic sessions on the
pix and reduce your timeout sessions so that you don't kill your pix's.
Good luck and I hope this helps.

Kevin



-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Adam Greene
Sent: Thursday, April 13, 2006 1:30 PM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] disable stateful firewall on PIX?

Hi,

We have to run asymmetrical routing on a couple of IP blocks for a couple of
days (i.e. traffic will exit one end of our autonomous system and enter at
the other end). Both ends are protected by PIX-515's (IOS 6.3(4) and
6.3(3)).

Is there a way to temporarily disable stateful features on the PIXes for
these specific IP blocks? Pounding our heads against CCO has not yet yielded
any constructive results.

Thanks,
Adam

P.S. apologies to anyone subscribed to cisco-nsp for the cross-post

---
[This e-mail was scanned for viruses by our AntiVirus Protection System]

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: