firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Multiple Outside IPs on Cisco PIX 6.3.3
(Christopher J. Wargaski)
2. Re: Cisco ASA firewall: SQLnet inspection: buffer limit
(Christopher J. Wargaski)
3. Re: Multiple Outside IPs on Cisco PIX 6.3.3 (Chris Myers)
----------------------------------------------------------------------
Message: 1
Date: Thu, 15 Jan 2009 14:53:46 -0600
From: "Christopher J. Wargaski" <wargo1@gmail.com>
Subject: Re: [fw-wiz] Multiple Outside IPs on Cisco PIX 6.3.3
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Cc: bryan@productiveconcepts.com
Message-ID:
<17065120901151253v1cdb28aei98dc2197857855be@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Josiah--
You can not add secondary IP addresses or aliases to a PIX interface, you
need to use static NAT maps to use the other public IP addresses. All of the
addresses must be in the same subnet, too. So you can have:
ip address outside 4.147.128.90 255.255.255.248
static (inside,outside) tcp 4.147.128.91 smtp 192.168.20.12 smtp netmask
255.255.255.255
static (inside,outside) tcp 4.147.128.91 https 192.168.20.12 https netmask
255.255.255.255
static (inside,outside) 4.147.128.92 192.168.20.25 smtp netmask
255.255.255.255
The PIX will take care of proxy ARP for you.
You can NOT have:
ip address outside 4.147.128.90 255.255.255.248
static (inside,outside) tcp 5.147.128.91 smtp 192.168.20.12 smtp netmask
255.255.255.255
static (inside,outside) tcp 5.147.128.91 https 192.168.20.12 https netmask
255.255.255.255
static (inside,outside) 6.147.128.92 192.168.20.25 smtp netmask
255.255.255.255
On Tue, Jan 13, 2009 at 11:01 AM, Josiah Bryan <
jbryan@productiveconcepts.com> wrote:
> Rather new to the advanced pix configs - I've been doing basic pix
> config/maint for the past 3 years.
>
> I've got 13 public IPs that are coming in thru a cable modem to my PIX. The
> fist IP is routing correctly, but I can't seem to figure out how to get the
> PIX to accept any of the other IPs that I've bought.
>
> Now, I'm used to the linux (redhat background) method if adding an alias to
> an interface, eg:
> ifconfig eth0:0 1.2.3.4
> ifconfig eth0:1 5.6.7.8
> .. and so on and so forth.
>
> Basically, is an equivalent operation possible with the PIX? (Running PIX
> ver 6.3(3))
>
> (Of course, I'd like to be able to do static translation based on incoming
> IP, but I think I've got that line covered: "static (inside,outside) tcp
> 1.2.3.4 smtp 10.0.1.51 smtp netmask 255.255.255.255 0 0").
>
> How do I add multiple "aliases" (for lack a better term) to the outside
> interface?
>
> Thanks in advance for your patience and advice.
>
> Regards,
> Josiah Bryan
>
> --
> Josiah Bryan
> IT Manager
> Productive Concepts, Inc.
> jbryan@productiveconcepts.com
> (765) 964-6009, ext. 224
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090115/1b614c50/attachment-0001.html>
------------------------------
Message: 2
Date: Thu, 15 Jan 2009 14:42:07 -0600
From: "Christopher J. Wargaski" <wargo1@gmail.com>
Subject: Re: [fw-wiz] Cisco ASA firewall: SQLnet inspection: buffer
limit
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Cc: roman@jct.ac.il
Message-ID:
<17065120901151242i1b9e170crdd3bd3deff1992d2@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Hello--
Try disabling the inspection.
policy-map global_policy
class inspection_default
no inspect sqlnet
Your policy-map name and class name may be different.
On Thu, Jan 15, 2009 at 5:27 AM, Haim [Howard] Roman <roman@jct.ac.il>wrote:
> Some friends have a Cisco ASA firewall, firmware version 8.0.4. Behind the
> firewall is a Oracle database.
>
> This firewall has an SQLnet inspection feature. However, the packet
> reassembly buffer has a limit of 8 kbytes. Many of the SQL queries are
> bigger than this, and they get blocked. Is there a way to increase this?
> (not sure how big they need). In the meantime, they have to disable this
> feature.
>
> Thanks
>
> --
> -------------------------------------------------
> Haim (Howard) Roman
> Computer Center, Jerusalem College of Technology
> roman@jct.ac.il
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090115/ff03e2c2/attachment-0001.html>
------------------------------
Message: 3
Date: Thu, 15 Jan 2009 18:18:40 -0600
From: Chris Myers <clmmacunix@charter.net>
Subject: Re: [fw-wiz] Multiple Outside IPs on Cisco PIX 6.3.3
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Cc: firewall-wizards@listserv.cybertrust.com
Message-ID: <311A9755-B9D3-4F3E-BB1F-E5CA7DBA56D8@charter.net>
Content-Type: text/plain; charset="us-ascii"; Format="flowed";
DelSp="yes"
Josiah,
What is the subnet mask on your outside IP address on the interface?
Are they part of the IP scheme for the outside interface of your
modem? If the subnet mask includes your range of addresses then you
can just create the statics and ACL's and the firewall will do its
job. I am assuming the subnet mask is a /28 or 255.255.255.240, since
you said you had 13 addresses. If it is not part of the subnet on the
outside interface of your modem and you are getting a single host via
DHCP, then you can still make this happen as the PIX uses what is
called floating statics, but you will have to have your ISP put routes
in pointing your new IP's to your modem. The firewall will take care
of the rest with your statics and ACL's.
Thank You,
Chris Myers
clmmacunix@charter.net
John 1:17
For the Law was given through Moses; grace and truth were realized
through Jesus Christ.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pastedGraphic.tiff
Type: image/tiff
Size: 18654 bytes
Desc: not available
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090115/56290896/attachment.tiff>
-------------- next part --------------
Go Vols!!!!
On Jan 13, 2009, at 11:01 AM, Josiah Bryan wrote:
> Rather new to the advanced pix configs - I've been doing basic pix
> config/maint for the past 3 years.
>
> I've got 13 public IPs that are coming in thru a cable modem to my
> PIX. The fist IP is routing correctly, but I can't seem to figure
> out how to get the PIX to accept any of the other IPs that I've
> bought.
>
> Now, I'm used to the linux (redhat background) method if adding an
> alias to an interface, eg:
> ifconfig eth0:0 1.2.3.4
> ifconfig eth0:1 5.6.7.8
> .. and so on and so forth.
>
> Basically, is an equivalent operation possible with the PIX?
> (Running PIX ver 6.3(3))
>
> (Of course, I'd like to be able to do static translation based on
> incoming IP, but I think I've got that line covered: "static
> (inside,outside) tcp 1.2.3.4 smtp 10.0.1.51 smtp netmask
> 255.255.255.255 0 0").
>
> How do I add multiple "aliases" (for lack a better term) to the
> outside interface?
>
> Thanks in advance for your patience and advice.
>
> Regards,
> Josiah Bryan
>
> --
> Josiah Bryan
> IT Manager
> Productive Concepts, Inc.
> jbryan@productiveconcepts.com
> (765) 964-6009, ext. 224
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 33, Issue 4
***********************************************
No comments:
Post a Comment