firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Cisco FWSM/ASA Question (Paul Melson)
2. New to Cisco PIX/ ASA (Keith A. Glass)
3. Re: Check Point NG FP3 HF2 on Solaris 5.8 (Robby Cauwerts)
----------------------------------------------------------------------
Message: 1
Date: Wed, 1 Aug 2007 14:16:25 -0400
From: "Paul Melson" <pmelson@gmail.com>
Subject: Re: [fw-wiz] Cisco FWSM/ASA Question
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<40ecb01f0708011116q5ff4f4c3s5224b0e5de92f462@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Which fixups do you have enabled? Are you able to use wireshark or
something similar to sniff traffic on both sides of the fwsm to
determine if it's changing anything in transit?
PaulM
On 7/27/07, Matthew Watkins <matt@idnet.net> wrote:
> I'm investigating a problem with Windows clients computers situated
> behind a pair of redundant firewall services modules (installed in a
> Cisco Catalyst 6513 switch). There's a new domain controller on one
> VLAN, and our Windows/PC clients sit on another. Both networks are
> routed through the FWSM, and general network connectivity seems fine.
>
> The firewall blades are running the latest version of the FWSM/ASA code:
>
> FWSM Firewall Version 3.1(6)
>
> Basically, my Mac laptop running OS X seems to connect to all parts
> of the network without problems. It can mount shares, resolve DNS
> etc... However, the Windows desktop clients seem unable to logon to
> the domain when booted up behind the firewall. Initially, I thought
> the problem might be related to DNS protocol inspection, since we
> were seeing the log messages below:
>
> Jul 26 16:55:21 cam-sh-fw1-inside.redstardevelopment.com %
> FWSM-2-106007: Deny inbound UDP from 172.17.50.3/53 to
> 172.29.6.2/1026 due to DNS Response
>
> I've subsequently removed DNS inspection from the global default
> rules, but it hasn't made any difference. This is a new site which we
> are in the process of building, so the access-lists for both networks
> are currently wide open:
>
> access-list PERMISSIVE extended permit ip any any
> access-group PERMISSIVE in interface inside
> access-group PERMISSIVE in interface office-wired
> access-group PERMISSIVE in interface office-dmz
>
> We've created a stripped down domain user account, with no DFS shares
> or home drive mappings, and this user account can successfully login
> to the domain. Our servers are all running Win2K3. Any ideas what the
> problem might be? I'm not seeing messages in the logs, and I'm a bit
> confused about the possible cause...
>
> Any ideas gratefully received!
>
> - Matt
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
------------------------------
Message: 2
Date: Wed, 1 Aug 2007 18:41:53 -0400
From: "Keith A. Glass" <salgak@speakeasy.net>
Subject: [fw-wiz] New to Cisco PIX/ ASA
To: <firewall-wizards@listserv.icsalabs.com>
Message-ID: <005d01c7d48d$2956a550$7c03eff0$@net>
Content-Type: text/plain; charset="us-ascii"
I've managed Gauntlets, Checkpoints, Netscreens, and SonicWalls in the past.
I'm a bit confused with the in and outs of the ASA firewalls.
I'm setting up at HA pair, my Eth0/0 is my interior interface, trust level
100, Eth 0/1 and 0/2 are my IP and State heatbeats, and Eth 1/0 is my
external interface, trust level 1.
Am I correct in my understanding that if I want two-way traffic, traffic is
not blocked to a lower trust level, so I need only write a rule to pass the
traffic between the endpoints from the external interface to the internal
interface, and the reply traffic is taken care of ?? Or do I have to write
a reverse rule, from the internal interface to the external as well ???
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070801/cbef8e66/attachment-0001.html
------------------------------
Message: 3
Date: Thu, 2 Aug 2007 01:00:32 +0200
From: "Robby Cauwerts" <robby@cauwerts.be>
Subject: Re: [fw-wiz] Check Point NG FP3 HF2 on Solaris 5.8
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.cybertrust.com>
Message-ID:
<2ca18af0708011600q5b641ad9m21ad3a02b29cf410@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
On 7/20/07, Robert Fenech <robertfenech@gmail.com> wrote:
>
> Hi,
>
> I am encountering a problem when it comes to install a policy on an NG FP3
> HF2 firewall running on an old Solaris 5.8 machine.
>
> Primarily when the policy is about to be installed I get the message
> "Failed to install policy. Please make sure that Firewall-1 services are
> running...".
>
>
Try a cprestart or cpstop/cpstart on the fw module ( be aware of the impact
on your traffic/remote mgmt of the fw!).
And then try to push the policy again a few times.
If this doesn't solve the problem try to debug cpd and fwd (check CP
knowledgebase or post a reply).
Br.
Robby
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070802/30fca146/attachment-0001.html
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 16, Issue 2
***********************************************
No comments:
Post a Comment