firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. DMZ to INSIDE Communication (chris mr)
2. Re: Survey of IPv6 Support Among Commercial Firewalls
(Dave Piscitello)
3. Getting TrueCrypt ported to Mac Os X! (Fabio Pietrosanti)
----------------------------------------------------------------------
Message: 1
Date: Thu, 11 Oct 2007 14:06:01 -0700 (PDT)
From: chris mr <chris.misztur@yahoo.com>
Subject: [fw-wiz] DMZ to INSIDE Communication
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <130209.63293.qm@web63709.mail.re1.yahoo.com>
Content-Type: text/plain; charset=us-ascii
Hello,
I have an ASA5505 and I'm stumped.
I have a IIS SMTP server on the DMZ and it is able to communicate with OUTSIDE smtp servers on port 25. I want it to be able to communicate with INSIDE smtp servers, however the packets get dropped.
WEBSERVER:gt1023---------->DMZ>>>INSIDE---xx--->EXCHANGE:25
Here is the setup:
Interfaces/Vlans:
-Outside
security=0
IP 75.xx.yy.233
-Outside1
security=0 ( backup ISP )
IP 12.xx.yy.154
-Inside
security=100
IP 200.xx.yy.158
-DMZ
security=50
IP 192.168.2.1
Here is my relevant setup:
name 192.168.2.2 WEBSERVER_nat >> on DMZ interface
name 192.168.2.3 WEBSERVER_nat1 >> on DMZ interfce
name 75.xx.yy.234 WEBSERVER_real >> public IP of web server
name 12.xx.yy.155 WEBSERVER_real1 >> public IP of web server (round-robin DNS setup)
name 200.xx.yy.10 GATEWAY >> MS ISA server on Inside interface
name 200.xx.yy.11 EXCHANGE >> MS Exchange on Inside interface
global (outside1) 2 interface
global (DMZ) 2 interface
global (outside) 2 interface
nat (inside) 2 GATEWAY 255.255.255.255
nat (inside) 2 EXCHANGE 255.255.255.255
static (inside,outside) tcp interface smtp EXCHANGE smtp netmask 255.255.255.255
static (inside,outside1) tcp interface smtp EXCHANGE smtp netmask 255.255.255.255
static (DMZ,outside1) WEBSERVER_real1 WEBSERVER_nat netmask 255.255.255.255 tcp 0 25
static (DMZ,inside) WEBSERVER_real1 WEBSERVER_nat1 netmask 255.255.255.255
static (DMZ,outside) WEBSERVER_real WEBSERVER_nat netmask 255.255.255.255 tcp 0 25
static (DMZ,inside) WEBSERVER_real WEBSERVER_nat netmask 255.255.255.255
access-group ACLIN in interface outside1
access-group ACLIN in interface outside
access-list ACLIN extended deny ip 172.16.0.0 255.255.0.0 interface outside log
access-list ACLIN extended deny ip 192.168.0.0 255.255.0.0 interface outside log
access-list ACLIN extended deny ip 10.0.0.0 255.0.0.0 interface outside log
access-list ACLIN extended deny ip 10.0.0.0 255.0.0.0 interface outside1 log
access-list ACLIN extended deny ip 192.168.0.0 255.255.0.0 interface outside1 log
access-list ACLIN extended deny ip 172.16.0.0 255.255.0.0 interface outside1 log
access-list ACLIN extended permit tcp any host 75.xx.yy.233 object-group INSIDE_services (smtp)
access-list ACLIN extended permit tcp any host 12.xx.yy.154 object-group INSIDE_services (smtp)
access-list ACLIN extended permit icmp any object-group DMZ (WEBSERVER_real and _real1) object-group DMZ_icmp log
access-list ACLIN extended permit icmp any interface outside object-group OUTSIDE_icmp (echo/reply)
access-list ACLIN extended permit icmp any interface outside1 object-group OUTSIDE_icmp
access-list ACLIN extended permit tcp any object-group DMZ object-group DMZ_services (http/https/ftp)
access-list ACLIN extended permit tcp any eq domain object-group DMZ log
access-list ACLIN extended permit udp any eq domain object-group DMZ log
access-list ACLIN extended deny ip any any log
____________________________________________________________________________________
Be a better Globetrotter. Get better travel answers from someone who knows. Yahoo! Answers - Check it out.
http://answers.yahoo.com/dir/?link=list&sid=396545469
------------------------------
Message: 2
Date: Thu, 11 Oct 2007 08:42:28 -0400
From: Dave Piscitello <dave@corecom.com>
Subject: Re: [fw-wiz] Survey of IPv6 Support Among Commercial
Firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <470E1A34.5030800@corecom.com>
Content-Type: text/plain; charset="iso-8859-1"
A fair number of the vendors I contacted early on in this project
indicated they would provide input if the individual results were not
published.
Rather than have fewer than 1/2 of the surveyed vendors included in the
survey, I (and SSAC) agreed to publish summary figures.
dlang@diginsite.com wrote:
> On Fri, 5 Oct 2007, Dave Piscitello wrote:
>
>> Some of you may recall I began a survey over the summer.
>>
>> The report is now available at:
>>
>> http://www.icann.org/committees/security/sac021.pdf
>
> Are the responses themselves available anywhere?
>
> David Lang
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dave.vcf
Type: text/x-vcard
Size: 220 bytes
Desc: not available
Url : https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20071011/7c456582/attachment-0001.bin
------------------------------
Message: 3
Date: Wed, 10 Oct 2007 22:10:15 +0200
From: Fabio Pietrosanti <lists@infosecurity.ch>
Subject: [fw-wiz] Getting TrueCrypt ported to Mac Os X!
To: firewall-wizards@honor.icsalabs.com
Message-ID: <470D31A7.6070200@infosecurity.ch>
Content-Type: text/plain; charset="iso-8859-1"
Guys,
please spread across all your mac users friends.
We require to reach 1500 USD to provide financing to make the porting of
Truecrypt (www.truecrypt.org) to Mac OS X.
Please donate some dollars here and spread this fantastic opensource
security community grow opportunity:
OSXCRYPT = TrueCrypt for Mac OS X
Finally free of not trusting FileVault anymore.
-naif
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20071010/75e32ee7/attachment-0001.html
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 18, Issue 6
***********************************************
No comments:
Post a Comment