firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: PIX 515 7.1 vs: 8.0 (Brian Blater)
2. Re: PIX 515 7.1 vs: 8.0 (Brian Blater)
3. Re: PIX 515 7.1 vs: 8.0 (Christopher J. Wargaski)
4. Re: PIX 515 7.1 vs: 8.0 (John Morrison)
5. Re: PIX 515 7.1 vs: 8.0 (Christopher J. Wargaski)
----------------------------------------------------------------------
Message: 1
Date: Sat, 19 Mar 2011 21:56:23 -0400
From: Brian Blater <brb.lists@gmail.com>
Subject: Re: [fw-wiz] PIX 515 7.1 vs: 8.0
To: John Morrison <john.morrison101@gmail.com>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<AANLkTikU+D3_9tZz=8St3wSHrO13c2fxkzzfa2uN-hHm@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On Sat, Mar 19, 2011 at 7:48 AM, John Morrison
<john.morrison101@gmail.com> wrote:
> Brian,
>
> The PIX guide
> (http://www.cisco.com/en/US/docs/security/pix/pix70/hw/installation/guide/515.html)
> says both the 4FE and 4FE-66 can be used with the unrestricted feature
> license. A maximum of 6 ports can be used (2 built-in plus the 4FE). On the
> 4FE the ports are numbered 2, 3, 4, 5 from left to right. The info for the
> 4FE
> (http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet09186a0080189f0a.html)
> says it is fine in the 515/515E.
>
> The VAC and VAC+ also can be used.
>
> 128MB RAM is enough for the features. Only the VAC appears to require at
> least v6.3
>
> It sounds right.
>
Thank you for setting me on the right path John. For some reason, I
thought the ports were number right to left (thinking port 2 was
closest to the PCI slot. However, I learned something new today, it is
the other way around.
So now I have the DMZ port working with the 4FE-66 card.
Thanks for everyone patience with me on this one. Again, you just have
to got back the basics and think of what the simplest problem could
be.
Brian
------------------------------
Message: 2
Date: Sat, 19 Mar 2011 22:04:08 -0400
From: Brian Blater <brb.lists@gmail.com>
Subject: Re: [fw-wiz] PIX 515 7.1 vs: 8.0
To: "Christopher J. Wargaski" <wargo1@gmail.com>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<AANLkTimUeTef318d=9AwmKX50mXUGNooc8aB4q7vVE_-@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On Sat, Mar 19, 2011 at 3:41 PM, Christopher J. Wargaski
<wargo1@gmail.com> wrote:
> Brian--
> ?? One of the things that the unrestricted license for a 515E does is allow
> more than 3 network interfaces. When you run the "sh ver" do you indeed see
> the UR license listed? Also, when you run "sh int" with the 4FE card
> installed, do you see all the interfaces? I do not think that the license
> needs to be upgraded or reapplied when upgrading to a new major PIX-OS
> release. However, I do not think that I have tried it. Here is a thought,
> save your config, wipe NVRAM and load 6.3(5) on to see if all 6 interfaces
> work.
> ?? If you are unable to make the 4FE card work, you can always put the 1FE
> card i, trunk to a managed switch and use VLAN interfaces.
> ?? Now that DHCP and routing have been addressed, is inbound and outbound
> traffic flowing on the inside and outside interfaces?
>
>
> cjw
Now that I've figured out which port is which on the 4FE-66 (see my
previous post) basically everything is working as expected.
One new question about this is if my inside interface is a security
100 and my dmz is a security 50 and I have no ACL defined on the
inside interface, how come a ping from the inside to the a device on
the dmz does not work? The only ACLs on the inside are the implicit
rules any to any less secure and any any deny. Is it that I would need
to have an additional rule on the dmz to allow icmp from the inside to
the dmz?
Thank you for the help. If you can't tell, I know enough to be
dangerous, but certainly not enough to be a guru at this.
Brian
------------------------------
Message: 3
Date: Sat, 19 Mar 2011 14:41:52 -0500
From: "Christopher J. Wargaski" <wargo1@gmail.com>
Subject: Re: [fw-wiz] PIX 515 7.1 vs: 8.0
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<AANLkTikMpCeHA7HE49tQjpRKgzH1DDve9O82H2NXzkib@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Brian--
One of the things that the unrestricted license for a 515E does is allow
more than 3 network interfaces. When you run the "sh ver" do you indeed see
the UR license listed? Also, when you run "sh int" with the 4FE card
installed, do you see all the interfaces? I do not think that the license
needs to be upgraded or reapplied when upgrading to a new major PIX-OS
release. However, I do not think that I have tried it. Here is a thought,
save your config, wipe NVRAM and load 6.3(5) on to see if all 6 interfaces
work.
If you are unable to make the 4FE card work, you can always put the 1FE
card i, trunk to a managed switch and use VLAN interfaces.
Now that DHCP and routing have been addressed, is inbound and outbound
traffic flowing on the inside and outside interfaces?
cjw
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20110319/90c7b05f/attachment-0001.html>
------------------------------
Message: 4
Date: Sat, 19 Mar 2011 11:48:16 +0000
From: John Morrison <john.morrison101@gmail.com>
Subject: Re: [fw-wiz] PIX 515 7.1 vs: 8.0
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<AANLkTikmBjZZh5JUzK5N1eNH+r0cJ=xXhfGKktzg4qtG@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Brian,
The PIX guide (
http://www.cisco.com/en/US/docs/security/pix/pix70/hw/installation/guide/515.html)
says both the 4FE and 4FE-66 can be used with the unrestricted feature
license. A maximum of 6 ports can be used (2 built-in plus the 4FE). On the
4FE the ports are numbered 2, 3, 4, 5 from left to right. The info for the
4FE (
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet09186a0080189f0a.html)
says it is fine in the 515/515E.
The VAC and VAC+ also can be used.
128MB RAM is enough for the features. Only the VAC appears to require at
least v6.3
It sounds right.
On 17 March 2011 13:01, Brian Blater <brb.lists@gmail.com> wrote:
> On Tue, Mar 15, 2011 at 4:07 PM, Kevin Horvath <kevin.horvath@gmail.com>
> wrote:
> > 1) enable local buffer logging, manually add a host with IP on the
> > inside, then try to access something on the internet, and view your
> > logs for errors, view your connection table "show conn det", and your
> > xlate table to see where the issue is.
> >
> > 2) add a default route to the outside interface, everything else
> > appears directly connected so you dont need routes for those (you can
> > verify your route table with "sh route").
> >
> > 3) as someone mentioned, looks like you have dhcpd enabled for the dmz
> > and vonage interfaces and not the inside. Add a entry for the inside
> > as well.
> >
> > On Sat, Mar 12, 2011 at 12:54 AM, Christopher J. Wargaski
> > <wargo1@gmail.com> wrote:
> >> Hey Brian--
> >> Configuration-wise you should have no problems with 8.0 if you know
> 7.1.
> >> You appear to have NAT configured correctly. You ACLs look good too.
> what
> >> I do not see are any route statements--do you have a default route set?
> >> Also, you should increase the message-length maximum to 4096 given
> the
> >> rollout of DNSsec.
> >>
> >> cjw
>
> Thank you for everyone's input. I've been working on this the last few
> days and this is what I've found so far.
>
> 1. DHCP for the inside is handled by a server on the inside network so
> I'm not using the FW for DHCP on the inside.
> 2. Default route - yes, the default route was not defined at the time
> I grabbed the config for the e-mail. It is defined now.
> 3. After being really puzzled by this issue I decided to go back to
> the basics and removed all the ACLs etc to make sure nothing was
> screwed up and as Christopher said, the config is correct.
> 4. Since #3 above didn't change anything I decided to pull the
> 4FE-PIX66 card and put in a 1FE card just to check everything. Low and
> behold the DMZ port worked without issue.
> 5. Figured the 4FE card was bad and got another one. Installed that in
> the PIX and it does not work either. With the 4FE installed if you
> look at the interface it shows the port down, but the config has the
> port active.
>
> So, now I'm wondering why the PIX I have will not support the 4FE
> card. The PIX is a 515E with the unrestricted license with 256M of
> memory. The PIX also has a VAC+. I've tried the 4FE in both slots and
> without the VAC+ card and it just refuses to work. I guess I could
> have 2 bad 4FEs, but I think that is unlikely.
>
> Can anyone think of what else I'm missing from the PIX that would
> cause the 4FE not to work at all?
>
> Thanks,
> Brian
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20110319/aceddd84/attachment-0001.html>
------------------------------
Message: 5
Date: Sat, 19 Mar 2011 22:19:42 -0500
From: "Christopher J. Wargaski" <wargo1@gmail.com>
Subject: Re: [fw-wiz] PIX 515 7.1 vs: 8.0
To: Brian Blater <brb.lists@gmail.com>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<AANLkTikO3zbj6htN9bsiRjHS3jZmAG51jEVoNvWsBYHF@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Hey Brian--
Pings going through a work a little differently than other traffic like,
say, TCP. With TCP and UDP return traffic is implicitly allowed through the
PIX *if* the PIX can identify what "connection" or "session" it belongs to.
This is why you do not have to explicitly allow return traffic on the
outside interface.
That is not the case with ICMP. With ICMP, you must allow echo-replies on
the DMZ or outsize interfaces. For example, on a PIX that only services
traffic originating from the inside interface to the outside interface, I
want ping and traceroute to work. So I have this ACL applied to the outside
interface.
access-list Inbound extended permit icmp any any echo-reply
access-list Inbound extended permit icmp any any time-exceeded
You would need to do the same with an ACL applied to the DMZ interface.
cjw
On Sat, Mar 19, 2011 at 9:04 PM, Brian Blater <brb.lists@gmail.com> wrote:
> On Sat, Mar 19, 2011 at 3:41 PM, Christopher J. Wargaski
> <wargo1@gmail.com> wrote:
> One new question about this is if my inside interface is a security
> 100 and my dmz is a security 50 and I have no ACL defined on the
> inside interface, how come a ping from the inside to the a device on
> the dmz does not work? The only ACLs on the inside are the implicit
> rules any to any less secure and any any deny. Is it that I would need
> to have an additional rule on the dmz to allow icmp from the inside to
> the dmz?
>
> Thank you for the help. If you can't tell, I know enough to be
> dangerous, but certainly not enough to be a guru at this.
>
> Brian
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20110319/920bf29e/attachment.html>
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 56, Issue 5
***********************************************
No comments:
Post a Comment