Search This Blog

Monday, August 03, 2009

firewall-wizards Digest, Vol 40, Issue 2

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: 2 PIXes with their interfaces sharing the same switch and
on the same VLAN. (Josh Ward)
2. Re: 2 PIXes with their interfaces sharing the same switch
andon the same VLAN. (Scott Stursa)


----------------------------------------------------------------------

Message: 1
Date: Sat, 01 Aug 2009 11:27:23 -0700
From: Josh Ward <jward@network-services.uoregon.edu>
Subject: Re: [fw-wiz] 2 PIXes with their interfaces sharing the same
switch and on the same VLAN.
To: rudy@rudal.com, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <4A74890B.8020400@network-services.uoregon.edu>
Content-Type: text/plain; charset=ISO-8859-1

Rudy,

Depending on what version of PIX software you are running, you may be
able to use the packet tracer to see what is going on. I believe they
added it in 7.2.

Try this command (changing your ingress interface name):
packet-tracer input insideXX tcp 10.17.1.2 5555 10.15.1.10 ssh det

The output should show you exactly how the pix is making a forward or
drop decision. You can twiddle the second IP and see what is different
between the two different destinations.

-Josh
--
Josh Ward <jward@uoregon.edu>
Network Security Engineer - University of Oregon - Network Services
PGP Fingerprint: CFB6 62C0 370B AD6D BA33 6034 8FFB 4A49 297F 6A4C


Rudy Setiawan wrote:
> Hi all,
>
> I have some problem that I need some solution/advice :)
>
> I have two PIX'es
> * PIX A WAN is connected to Provider A
> * PIX B WAN is connected to Provider B
> * PIX A inside interface has the IP address of 10.15.1.1
> * PIX B DMZ interface has the IP address of 10.15.1.2
> * PIX B inside interface has the IP address of 10.17.1.1
> * Subnet mask for all of the IP addresses 255.255.0.0 or /16
>
> I disabled nat by way of nat 0 access-list to both PIXes and the
> interfaces as well (except the WAN).
> I have a "ip permit any any" applied to all interfaces except the WAN,
>
> A user with IP 10.17.1.2 has a gateway of 10.17.1.1 is able to ping a
> server in 10.15.1.10 (the server has a gateway of 10.15.1.1) but is
> unable to ssh to the server.
> But if I changed the gateway of the server to 10.15.1.2, then the user
> is able to ssh to the server.
>
> What am I doing wrong here?
>
> Thank you so much in advance for the help.
>
> Regards,
> Rudy
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

------------------------------

Message: 2
Date: Sat, 1 Aug 2009 11:07:37 -0700 (PDT)
From: "Scott Stursa" <stursa@695online.com>
Subject: Re: [fw-wiz] 2 PIXes with their interfaces sharing the same
switch andon the same VLAN.
To: rudy@rudal.com, "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Cc: firewall-wizards@listserv.icsalabs.com
Message-ID:
<18916.76.105.154.18.1249150057.webmail@mail.695online.com>
Content-Type: text/plain;charset=iso-8859-1


Rudy Setiawan said:
> Hi all,
>
> I have some problem that I need some solution/advice :)
>
> I have two PIX'es
> * PIX A WAN is connected to Provider A
> * PIX B WAN is connected to Provider B
> * PIX A inside interface has the IP address of 10.15.1.1
> * PIX B DMZ interface has the IP address of 10.15.1.2
> * PIX B inside interface has the IP address of 10.17.1.1
> * Subnet mask for all of the IP addresses 255.255.0.0 or /16
>
> I disabled nat by way of nat 0 access-list to both PIXes and the
> interfaces
> as well (except the WAN).
> I have a "ip permit any any" applied to all interfaces except the WAN,
>
> A user with IP 10.17.1.2 has a gateway of 10.17.1.1 is able to ping a
> server
> in 10.15.1.10 (the server has a gateway of 10.15.1.1) but is unable to ssh
> to the server.
> But if I changed the gateway of the server to 10.15.1.2, then the user is
> able to ssh to the server.
>
> What am I doing wrong here?

Does PIX A have an explicit route defined for 10.17.0.0/16? If not, then
it's probably sending the server's packets out to the provider (how the
ICMP echo replies get back to 10.17.1.2 is a bit mysterious). Try adding a
route to PIX A for 10.17.0.0/16 pointing to 10.15.1.2.

--
It's not having what you want.
It's wanting what you've got.
- Sheryl Crow

Scott L. Stursa
CISSP, CCNP, MCSA


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 40, Issue 2
***********************************************

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)