firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Cisco FWSM/ASA Question (Matthew Watkins)
2. Cisco ACS alternative (Pedro Henrique Morsch Mazzoni)
3. Re: firewall-wizards Digest, Vol 16, Issue 2 (Tedeski, William)
4. Re: firewall-wizards Digest, Vol 16, Issue 2 (Tedeski, William)
----------------------------------------------------------------------
Message: 1
Date: Thu, 2 Aug 2007 09:06:50 +0100
From: Matthew Watkins <matt@idnet.net>
Subject: Re: [fw-wiz] Cisco FWSM/ASA Question
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <CC206FCD-9E41-4495-8D54-4595CB5A438A@idnet.net>
Content-Type: text/plain; charset="us-ascii"
I think we've solved this particular problem. At some point the
standby firewall module had gone active, and was leading to some very
random behaviour through the firewall. Thanks for all your
suggestions...
- Matt
On 1 Aug 2007, at 19:16, Paul Melson wrote:
> Which fixups do you have enabled? Are you able to use wireshark or
> something similar to sniff traffic on both sides of the fwsm to
> determine if it's changing anything in transit?
>
> PaulM
>
>
> On 7/27/07, Matthew Watkins <matt@idnet.net> wrote:
>> I'm investigating a problem with Windows clients computers situated
>> behind a pair of redundant firewall services modules (installed in a
>> Cisco Catalyst 6513 switch). There's a new domain controller on one
>> VLAN, and our Windows/PC clients sit on another. Both networks are
>> routed through the FWSM, and general network connectivity seems fine.
>>
>> The firewall blades are running the latest version of the FWSM/ASA
>> code:
>>
>> FWSM Firewall Version 3.1(6)
>>
>> Basically, my Mac laptop running OS X seems to connect to all parts
>> of the network without problems. It can mount shares, resolve DNS
>> etc... However, the Windows desktop clients seem unable to logon to
>> the domain when booted up behind the firewall. Initially, I thought
>> the problem might be related to DNS protocol inspection, since we
>> were seeing the log messages below:
>>
>> Jul 26 16:55:21 cam-sh-fw1-inside.redstardevelopment.com %
>> FWSM-2-106007: Deny inbound UDP from 172.17.50.3/53 to
>> 172.29.6.2/1026 due to DNS Response
>>
>> I've subsequently removed DNS inspection from the global default
>> rules, but it hasn't made any difference. This is a new site which we
>> are in the process of building, so the access-lists for both networks
>> are currently wide open:
>>
>> access-list PERMISSIVE extended permit ip any any
>> access-group PERMISSIVE in interface inside
>> access-group PERMISSIVE in interface office-wired
>> access-group PERMISSIVE in interface office-dmz
>>
>> We've created a stripped down domain user account, with no DFS shares
>> or home drive mappings, and this user account can successfully login
>> to the domain. Our servers are all running Win2K3. Any ideas what the
>> problem might be? I'm not seeing messages in the logs, and I'm a bit
>> confused about the possible cause...
>>
>> Any ideas gratefully received!
>>
>> - Matt
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@listserv.icsalabs.com
>> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070802/606c8b32/attachment-0001.html
------------------------------
Message: 2
Date: Wed, 15 Aug 2007 10:18:59 -0300
From: "Pedro Henrique Morsch Mazzoni" <phmazzoni@gmail.com>
Subject: [fw-wiz] Cisco ACS alternative
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<a0d2d18f0708150618u78afc976i36e6eb0e5941a1b1@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Hi everyone!
Anyone knows a alternative to Cisco Secure ACS?
I need a AAA that can work with downloadables ACL?s.
Tks,
Pedro Mazzoni
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070815/964fdc55/attachment-0001.html
------------------------------
Message: 3
Date: Thu, 2 Aug 2007 11:25:53 -0500
From: "Tedeski, William" <William.Tedeski@acs-inc.com>
Subject: Re: [fw-wiz] firewall-wizards Digest, Vol 16, Issue 2
To: "'firewall-wizards@listserv.icsalabs.com'"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <839A891005DE6548840FB0D77D90F80E0C3C834C@acspghexch01>
Content-Type: text/plain; charset="us-ascii"
> FWSM-2-106007: Deny inbound UDP from 172.17.50.3/53 to
> 172.29.6.2/1026 due to DNS Response
This messages may be from more than one response from the DNS
The ASA/PIX/FWSM with DNS Fixup on, will permit the first response but block
any other after that.
Do a "show local-host" command using the address of the system on the higher
security interface, while that system is trying to connect.
The display will show you an connects built as well as the connect state
flags. The connect state flags may be the best tool to diagnose an issue on
the ASA/PIX/FWSM
Bill Tedeski
ACS Inc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070802/c522a52b/attachment-0001.html
------------------------------
Message: 4
Date: Thu, 2 Aug 2007 11:36:07 -0500
From: "Tedeski, William" <William.Tedeski@acs-inc.com>
Subject: Re: [fw-wiz] firewall-wizards Digest, Vol 16, Issue 2
To: "'firewall-wizards@listserv.icsalabs.com'"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <839A891005DE6548840FB0D77D90F80E0C3C834D@acspghexch01>
Content-Type: text/plain; charset="us-ascii"
> Am I correct in my understanding that if I want two-way traffic, traffic
> is not blocked to a lower trust level, so I need only write a rule to pass
> the traffic between the endpoints from the external interface to the
> internal interface, and the reply traffic is taken care of ?? Or do I
> have to write a reverse rule, from the internal interface to the external
> as well ???
On a PIX/ASA/FWSM
You are correct in that if there is no access-list on the higher security
level interface connections to the lower security level interface will be
permitted, provided that a matching STATIC or GLOBAL/NAT exist. As soon as
you add an access-list to the higher security interface, you then need to
explicitly permit the connections
Also reply traffic will be permitted with out the need to defining a
access-list entry.
In addition protocols like FTP the data channel will be permitted when a
control channel connection exists with out the need for an access-list
entry.
Bill Tedeski
ACS Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070802/3304b178/attachment.html
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 16, Issue 4
***********************************************
No comments:
Post a Comment