RE: VPN and NAT
you should be ok as long as you do static nat (1 to 1 mapping) and don't use AH (protocol 51 i think). AH takes a md5 snap shot of the packet, so when the packet get the ip changed (from nat) it fails the crypto ckecksum test. Also you will need to pass udp 500 and protocol 50 (ESP (not port 50)) to and from both vpn peers. -Original Message- From: James Drake [mailto:[EMAIL PROTECTED]] Sent: Monday, April 08, 2002 10:03 To: [EMAIL PROTECTED] Subject: VPN and NAT I've been told that I cannot have NAT running on the router before the firewall if I want VPN functionality. Is there anyone who might be able to explain the reason for this? Thanks, James ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls __ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: VPN-Connection to PIX 515
are you saying the client was able to connect but then would get disconnected after being logged on the network? sounds like you may be dropping packets somewhere. Have you looked for interface errors on the pix, or maybe the uplink? BTW using the cisco client and making the users use a terminal server works just fine. --- Chris Hessmann [EMAIL PROTECTED] wrote: Hello, I'm trying to make a VPN-connection to a Cisco PIX 515. I know the PIX is configured correctly, the Cisco VPN-Client is able to connect. Unfortunately, that client is not able to keep up a local connection when establishing the vpn, and as I would like to use the vpn-client on a Windows Terminalserver, I need the local LAN during the vpn-connection. (AFAIK, it could be possible with a concentrator, but I would need a few hundred concentrators for all the PIX I have to connect to, and that's not an option). I looked for other vpn-clients and found ssh-sentinel (1.2 / 1.3Beta1/2). This seems to be a nice program, and I think it is able to keep up the local LAN, but I wasn't able to establish the vpn-connection. ssh-sentinel log says timeout (after 5 times retransmitting of a phase-1-packet), the debug-output of the PIX gives me (every time ssh-sentinel retransmits) reserved not zero on payload 5! Does anyone know this error or has any idea what this could mean? Thanks for any help. -- cu Chris ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls __ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: Proxy vs stateful... oh no, not again :) (Was: Re: MigrationfromGauntlet 5 to Firewall-1)
*plug* openbsd's PF can do this also (see modulate state). *plug* AFAIK the Cisco PIX will randomize TCP ISN numbers What makes yours unique ? Thanks, Rafi -- Rafi Sadowsky [EMAIL PROTECTED] Network Operations Center | VoiceMail: +972-3-646-0592 FAX: +972-3-646-0454 ILAN - IUCC -I2(Israel) | FIRST-REP ILAN-CERT([EMAIL PROTECTED]) (Israeli Academic Network) | (PGP key - ) http://telem.openu.ac.il/~rafi ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls __ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: PIX conduit vs access lists
What IKE daemon does netbsd use? If its isakmpd i may be able to help you out with it. --- [EMAIL PROTECTED] wrote: Does anyone know how to set-up a vpn between pix and netbsd ? Mil - ou never know how many friends you have until you rent a place at the beach -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Matt Thoreson Sent: Monday, April 08, 2002 6:03 PM To: '[EMAIL PROTECTED]' Subject: PIX conduit vs access lists Does anyone have any opinions on the use of access lists vs conduits on the PIX? Cisco seems to be pushing access lists in their newer pix os releases. One thing I have noticed is with conduits, the pix will implicitely allow all traffic from a higher to lower security level. For example if I have a machine in my dmz, security50, that wants to browse the web on the the outside, security0, this is automatically allowed without the use of a conduit statement. If I use access-list on my dmz interface, with holes from the outside to the dmz, or from the dmz to the inside, I will not be able to have this dmz machine browse the web unless I have an access list statement on the dmz allowing it through to the outside on port 80. There isn't the implicit allow all traffic from higher to lower security that the conduit has. Unless I'm missing something, access lists create more work. Does anybody have any opinions on one or the other? Thanks, Matt __ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: PIX and OSPF updates
Just a FYI, bgp seems to be about the only protocol you can pass through a pix without some nasty GRE tunnel. --- Jason Ostrom [EMAIL PROTECTED] wrote: Burke, What have you attempted so far in order to resolve and on which devices, the PIX or upstream/downstream router? The PIX doesn't support dynamic routing protocols such as OSPF, only static/default routes. To me this would seem good so the PIX is dedicated to security (stateful inspection/packet filtering) and then allow the router to make the intelligent routing decisions. In order to allow the OSPF updates to pass through the PIX, you need to configure the routers to redistribute[1] the static routes received from the PIX into OSPF. Concentrate on what is being received from the PIX on the routers, and less on the PIX configuration. Without more information on the network topology and security requirements, it's difficult to say for sure what you need to do on the other routers. You could do a configuration like this [2] for two networks to connect between the PIX, but that is for a static route on the routers. If you go with OSPF, then you definitely need to redistribute. Because it only uses static routes, the suggested configuration also begs the question of why you need the PIX placed between possibly two different OSPF areas. Shouldn't the PIX be placed closer to the network you are protecting? [1] Redistributing Routing Protocols, http://www.cisco.com/warp/public/105/redist.html [2] Configuring the PIX Firewall with Two Internal Networks, http://www.cisco.com/warp/public/110/19b.html -jason On Fri, 29 Mar 2002, Burke McCrory wrote: I am trying to put a PIX into a network that uses OSPF between its routers. So far I haven't been able to find a way to allow the OSPF updates to pass through the PIX. Does anyone have any ideas or suggestions? Thanks. Burke McCrory Internet Administrator Oklahoma Tax Commission [EMAIL PROTECTED] ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls __ Do You Yahoo!? Yahoo! Greetings - send holiday greetings for Easter, Passover http://greetings.yahoo.com/ ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: PIX and OSPF updates
The only routing protocol that is :) daoh! --- Claussen, Ken [EMAIL PROTECTED] wrote: According to Cisco Documentation: PIX Firewall does not pass multicast packets. Many routing protocols use multicast packets to transmit their data. If you need to send routing protocols across the PIX Firewall, configure the routers with the Cisco IOS software neighbor command. We consider it inherently dangerous to send routing protocols across the PIX Firewall. If the routes on the unprotected interface are corrupted, the routes transmitted to the protected side of the firewall will pollute routers there as well. Table 1-2: Protocol Literal Values Literal Value Description ah 51 Authentication Header for IPv6, RFC 1826 eigrp 88 Enhanced Interior Gateway Routing Protocol esp 50 Encapsulated Security Payload for IPv6, RFC 1827 gre 47 General Routing Encapsulation icmp 1 Internet Control Message Protocol, RFC 792 igmp 2 Internet Group Management Protocol, RFC 1112 igrp 9 Interior Gateway Routing Protocol ip 0 Internet Protocol ipinip 4 IP-in-IP encapsulation nos 94 Network Operating System (Novell's NetWare) ospf 89 Open Shortest Path First routing protocol, RFC 1247 pcp 108 Payload Compression Protocol snp 109 Sitara Networks Protocol tcp 6 Transmission Control Protocol, RFC 793 udp 17 User Datagram Protocol, RFC 768 http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/cmd_ref /intro.htm Even Cisco agrees it is inherently a dangerous propositon to pass dynamic routing protocols through a security device. However if it is between two internal interfaces, say DMZ1 and DMZ2, then the risk can be mitigated to a degree. Although there should be a very valid reason for configuring a device as such. Using the above protocol values a Conduit or ACL can be created to allow OSPF to pass, in conjunction with the neighbor statement. Perform the configuration at your own risk, you have been warned. As I said before I would highly recommend using separate areas and distribute lists to control route advertisement between the segments. HTH. Ken Claussen MCSE CCNA CCA In Theory it should work as you describe, but the difference between theory and reality is the truth! For this we all strive -Original Message- From: bob bobing [mailto:[EMAIL PROTECTED]] Sent: Friday, March 29, 2002 4:26 PM To: [EMAIL PROTECTED] Subject: Re: PIX and OSPF updates Just a FYI, bgp seems to be about the only protocol you can pass through a pix without some nasty GRE tunnel. --- Jason Ostrom [EMAIL PROTECTED] wrote: Burke, What have you attempted so far in order to resolve and on which devices, the PIX or upstream/downstream router? The PIX doesn't support dynamic routing protocols such as OSPF, only static/default routes. To me this would seem good so the PIX is dedicated to security (stateful inspection/packet filtering) and then allow the router to make the intelligent routing decisions. In order to allow the OSPF updates to pass through the PIX, you need to configure the routers to redistribute[1] the static routes received from the PIX into OSPF. Concentrate on what is being received from the PIX on the routers, and less on the PIX configuration. Without more information on the network topology and security requirements, it's difficult to say for sure what you need to do on the other routers. You could do a configuration like this [2] for two networks to connect between the PIX, but that is for a static route on the routers. If you go with OSPF, then you definitely need to redistribute. Because it only uses static routes, the suggested configuration also begs the question of why you need the PIX placed between possibly two different OSPF areas. Shouldn't the PIX be placed closer to the network you are protecting? [1] Redistributing Routing Protocols, http://www.cisco.com/warp/public/105/redist.html [2] Configuring the PIX Firewall with Two Internal Networks, http://www.cisco.com/warp/public/110/19b.html -jason On Fri, 29 Mar 2002, Burke McCrory wrote: I am trying to put a PIX into a network that uses OSPF between its routers. So far I haven't been able to find a way to allow the OSPF updates to pass through the PIX. Does anyone have any ideas or suggestions? Thanks. Burke McCrory Internet Administrator Oklahoma Tax Commission [EMAIL PROTECTED] ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: PIX vs BSD
Well so far there are 3 main stream firewall packages for bsd (that ship with the OS). IPFW (ip firewall) IPF (ip filter) PF (packet filter) IPFW comes with FreeBSD. IPF runs on any BSD (Free,Net,Open*,BSD/OS) PF comes with OpenBSD. My own taste would be ipf, but i really like some of the options in pf (modulate state will do the same thing as the pix with seq. numbers as an example). * You need to install IPF yourself on OpenBSD. Here is a small list of stuff to help you out on which to pick. man pages for each. -- man ipf (ipfilter) man ipnat (ipfilter) man ifw (ip firewall) man natd (ip firewall) man pfctl (packet filter) Some howto so you can read up on each -- http://www.obfuscation.org/ipf/ http://www.deadly.org/pf-howto/ http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO --- Peter Trifonov [EMAIL PROTECTED] wrote: Hello everybody! I consider replacement of Cisco PIX 515 (Restricted) firewall in a small corporate network with *BSD software firewall. Can anybody tell me how close can one approximate PIX's functionality with BSD? With best regards, P. Trifonov ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls __ Do You Yahoo!? Yahoo! Movies - coverage of the 74th Academy Awards® http://movies.yahoo.com/ ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: PIX vs BSD
Care to explain your statement? You can't make it do the _same_ stateful inspection as the PIX does, and you can't make it achieve the same prestanda without using a more powerful machine, __ Do You Yahoo!? Yahoo! Movies - coverage of the 74th Academy Awards® http://movies.yahoo.com/ ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: PIX vs BSD
still waiting :) Just wondering where you are going with this. --- bob bobing [EMAIL PROTECTED] wrote: Care to explain your statement? You can't make it do the _same_ stateful inspection as the PIX does, and you can't make it achieve the same prestanda without using a more powerful machine, __ Do You Yahoo!? Yahoo! Movies - coverage of the 74th Academy Awards® http://movies.yahoo.com/ ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls __ Do You Yahoo!? Yahoo! Movies - coverage of the 74th Academy Awards® http://movies.yahoo.com/ ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: Gauntlet NAT issues
2. ok problem here. Gauntlet NT (and only NT) can't bind proxies to ips. This really hoses the whole proxy formula i think :). --- Ben Nagy [EMAIL PROTECTED] wrote: OK, a couple of quick points... 1. Gauntlet 5.5 on NT is unstable and weird. Try reinstalling the product from scratch - it may well start working as you expect. No, I am not joking. 2. The idea about Gauntlet is that you _don't_ use NAT. It's a proxy firewall. Have a good long think about your config and see if you can get it working without any NAT rules - you'll probably find that it works much better. Cheers, -- Ben Nagy Network Security Specialist Mb: +61 414 411 520 PGP Key ID: 0x1A86E304 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Andrew Thomas Sent: Wednesday, March 06, 2002 3:13 AM To: [EMAIL PROTECTED] Subject: Gauntlet NAT issues Hi, We are running Gauntlet 5.5 on Win NT 4.0 SP5+hotfixes coming out of our ears. I am at present having issues setting up static NAT. Dynamic NAT runs 100%. The static rule we are using is local IP: 192.168.x.151, global IP: x.x.x.105, with the global interface set to external (untrusted). The .105 IP address is bound to correct card. I can ping the IP from a remote (Internet side) machine, but when I try to connect to e.g. mail service via telnet, it times out (ie no connection refused). If anyone can give any pointers on how to do further trouble shooting on this, please let me know. Take care, Andrew Thomas ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls __ Do You Yahoo!? Try FREE Yahoo! Mail - the world's greatest free email! http://mail.yahoo.com/ ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: Gauntlet NAT issues
No, i'm talking about binding a proxy (lets take http-gw) to just the internal ip address, so that you can bind other proxies (that will act differently) on the outside interface (port 80/443 as an example again). But like you said, its old an unsupported. --- Ben Nagy [EMAIL PROTECTED] wrote: Leaving aside the fact that 5.5NT is unsupported and a version old, I never had any problems getting basic proxy operation to work. Are you talking about binding to IP addresses that aren't the same as the external NIC of the box? If so, I really distantly recall that it might be a (lack of) arp response issue which could be worked around by hardcoding the MAC address of the other IP(s) in the gateway router. Then again, it's a long time since I've worked on or with a 5.5NT box (for good reason!)... Cheers, -- Ben Nagy Network Security Specialist Mb: +61 414 411 520 PGP Key ID: 0x1A86E304 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of bob bobing Sent: Wednesday, March 06, 2002 12:04 PM To: [EMAIL PROTECTED] Subject: RE: Gauntlet NAT issues 2. ok problem here. Gauntlet NT (and only NT) can't bind proxies to ips. This really hoses the whole proxy formula i think :). [...] __ Do You Yahoo!? Try FREE Yahoo! Mail - the world's greatest free email! http://mail.yahoo.com/ ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: Why netscreen instead of say sonicwall
Netscreen¡¯s Perofmance should be examined in the real network, as it shows quite different performance. What do you mean by this? do you mean its slower or faster (yea right) than what they (being netscreen) say? --- Pico GOH [EMAIL PROTECTED] wrote: Netscreen is quite simple firewall, it is more less Network device not a intelligent firewall¡¦.. If you need for the soho the mid-range firewalls are almost same in its performance. Netscreen¡¯s Perofmance should be examined in the real network, as it shows quite different performance. All of their products¡¯s performance are different from what they advertise. The Next Generation firewall is now on the way and it is built based on the network processor. Still SW based firewall works fine, ASIC Firewall is wee bit better in its performance ( But, A LOT OF LIMITS ), Network Processor Based Firewall show the true wire speed regard less packet size. Although Firewall -1 is old ,,,but its flexibility is quite well designed. ( Incomparable) And recognition of Check point is still there ( Still King Of Firewall) ¡¦¡¦.. please don¡¯t be confuse to with brand name of firewall¡¦.. wire speed is not what they says in the paper and in the labs. More question ¡¦Get more from the Web. FREE MSN Explorer download : http://explorer.msn.com __ Do You Yahoo!? Yahoo! Sports - sign up for Fantasy Baseball http://sports.yahoo.com ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: netscreen dip question.
The vendor that is connected to the dmz doesn't want to add routes to my private ips (172.25.x.x) . The dmz network has a non private addr range ( yes that we own) on it. This way the vendor only needs to add routes to the dmz network, and we handle the rest. 10-4? --- [EMAIL PROTECTED] wrote: On 26 Feb 2002, at 6:51, Dell, Jeffrey wrote: This is a code issue. With version 3.1 you will be able to do this, but currently 3.1 is only for the Netscreen-25 and 50. -Original Message- From: bob bobing [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 26, 2002 2:04 AM To: [EMAIL PROTECTED] Subject: netscreen dip question. well after almost a week of playing phone tag with netscreen support I'm going ask here, because i still don't have any answer. Using a netscreen 10 is there any way to setup a mip on the dmz? To the rest of the world this means a static nat (netscreen must have asked the linux folks for some names they dropped over masquerading (Yes that was a joke)). I basically i want to staticlly nat 2 ips on the dmz segment to 2 ips on the internal network. On 2.6.x this doesn't seem to be an option. Is this just a code issue, or is it a netscreen-10 issue? __ Bob, I've been trying to grasp what it is that you're trying to do, and why, and failing. Apparently, I don't understand the problem that this would solve. On the off chance that I might not be the only one on this list with such a difficulty, could I ask that you briefly describe the issue, and why this would be a good way to handle it? DG __ Do You Yahoo!? Yahoo! Greetings - Send FREE e-cards for every occasion! http://greetings.yahoo.com ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: netscreen dip question.
you would think that someone in support would have known this, and could have left me a voice mail saying that. thanks! --- Dell, Jeffrey [EMAIL PROTECTED] wrote: This is a code issue. With version 3.1 you will be able to do this, but currently 3.1 is only for the Netscreen-25 and 50. -Original Message- From: bob bobing [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 26, 2002 2:04 AM To: [EMAIL PROTECTED] Subject: netscreen dip question. well after almost a week of playing phone tag with netscreen support I'm going ask here, because i still don't have any answer. Using a netscreen 10 is there any way to setup a mip on the dmz? To the rest of the world this means a static nat (netscreen must have asked the linux folks for some names they dropped over masquerading (Yes that was a joke)). I basically i want to staticlly nat 2 ips on the dmz segment to 2 ips on the internal network. On 2.6.x this doesn't seem to be an option. Is this just a code issue, or is it a netscreen-10 issue? __ Do You Yahoo!? Yahoo! Sports - Coverage of the 2002 Olympic Games http://sports.yahoo.com ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
netscreen dip question.
well after almost a week of playing phone tag with netscreen support I'm going ask here, because i still don't have any answer. Using a netscreen 10 is there any way to setup a mip on the dmz? To the rest of the world this means a static nat (netscreen must have asked the linux folks for some names they dropped over masquerading (Yes that was a joke)). I basically i want to staticlly nat 2 ips on the dmz segment to 2 ips on the internal network. On 2.6.x this doesn't seem to be an option. Is this just a code issue, or is it a netscreen-10 issue? __ Do You Yahoo!? Yahoo! Sports - Coverage of the 2002 Olympic Games http://sports.yahoo.com ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: stuck with FreeBSD and Ipfilter
please paste the output of ipfstat -i -h, ipnat -l and the contens of your ipfrules file, and ipnatrules file. Just an FYI, ipnat happens before ipf, so your rules need to be written post nat. --- irado furioso com tudo [EMAIL PROTECTED] wrote: Bruno Fernandes wrote: note: even changing rules a lot, I am unable to do this. Then I just tryied to 'block everything for that machine': :=== begin block in quick from any to 192.168.1.89 block out quick from any to 192.168.1.89 block in quick from 192.168.1.89 to any :=== but nmap (from dmz) still shows open ports 22 and 53 on these machine. How to effectively BLOCK every packet from dmz to internal lan?? :o( You have run nmap from the DMZ? yes, I did. -- saudações, Irado Furioso com Tudo Linux (SuSE) User 179402 tortura é sempre instrumento do estado, dos pais, dos professores.. sempre alguém se imagina ter poder acima dos demais. Viva a anarquia!!! ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls __ Do You Yahoo!? Send FREE Valentine eCards with Yahoo! Greetings! http://greetings.yahoo.com ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: stuck with FreeBSD and Ipfilter
That is really odd, your ipf.rules file doesn't match your ipfstat -i -h. I don't see any 192.168.1.89 in your file, and yet its in your ipfstat table. :/ Well at any rate, your ipf.rules file is a mess. I would try to rewrite them, Bruno Fernandes has some great examples (seems to have left out ftp proxy :) ). Its very important that your filter rules are easy to understand, so that you don't make a mistake and allow something you didn't want to allow. One more thing ipf takes the LAST hit (unless quick statement is used) so you could say. #Generic block everything. block in from any to any block out from any to any block in proto $proto from any to any FLAGS $badpackets #allow this stuff. pass out from $inside to $outside keep state pass out from $inside to $dmz keep state etc etc so if a packet comes in that doesn't match a pass rule it should get blocked (block was the only match) also check this out. http://www.obfuscation.org/ipf/ Also look for proxy ftp on this page. (its part of ipnat) ipfstat -i -h can be very helpful also. and watch ipmon when using log statement, it will tell you the pass/block rule number (again very helpful). --- irado furioso com tudo [EMAIL PROTECTED] wrote: bob bobing wrote: please paste the output of ipfstat -i -h, ipnat -l and the contens of your ipfrules file, and ipnatrules file. Just an FYI, ipnat happens before ipf, so your rules need to be written post nat. __ Do You Yahoo!? Send FREE Valentine eCards with Yahoo! Greetings! http://greetings.yahoo.com ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: PIX 501, PAT and PASV...
I seem to remember seeing that 6.x had support for port redirecting, have you looked for this/at this? --- Noonan, Wesley [EMAIL PROTECTED] wrote: As soon as I add a static mapping (for whatever reason), the PIX stops passing all outbound traffic except that traffic from the IP address in the static mapping. I think this is because it can't do PAT and a STATIC mapping to the same IP address. I would need 1 IP address to pull it off successfully. I will try the strict option. I had it earlier, and it didn't help the situation any so I removed it. I have also opened a TAC case on it, and it looks like there is going to be a problem with doing this and using PAT (if I use NAT, it works great...). I was hoping to avoid having to move to business class/static IP's (about twice as much as my existing net access...) Thanks. Wes Noonan, MCSE/MCT/CCNA/CCDA/NNCSS Senior QA Rep. BMC Software, Inc. (713) 918-2412 [EMAIL PROTECTED] http://www.bmc.com -Original Message- From: Glenn Shiffer [mailto:[EMAIL PROTECTED]] Sent: Friday, February 01, 2002 17:34 To: 'Noonan, Wesley'; [EMAIL PROTECTED] Subject: RE: PIX 501, PAT and PASV... As far as I recall Cisco port aliases assign ftp= tcp 21 and ftp-data= tcp 20. Ftp-data being used to enable FTP/HTTP server connections to function properly. Try adding a static mapping port 21 ie. ftp. You may also want to change your ftp fixup to: fixup protocol ftp strict 21 This prevents web browsers for sending embedded commands in ftp requests. Glenn ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls __ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
pix firewall managment question.
before i try to reinvent the wheel i thought i would ask around about this. Is there anything out there that will get all forms of access lists from a pix, add them to so some kind of data base (daily). Once received do some checks to see if anything has been added (email alert if something has), and maybe give some way to document each accecss list (like added for new webserver, asked for by bob $EXT# $date)? At the moment I'm thinking expect and some shell scripts/perl. __ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: SOCKS Question
you could also pick any proxy based firewall out there, and just install NEC's socks5 proxy (does cost money) www.socks.nec.com --- Peter Merrick [EMAIL PROTECTED] wrote: Hi Kenneth Not 100% sure about SOCKS complianty firewall appliances, but the Permeo e-border products (http://www.permeo.com/products/products.htm) may meet some of your needs. Alternatively, (not an appliance) the IBM Secureway firewall product supports tcp and udp apps through socks v5 (http://www-4.ibm.com/software/security/firewall/). Cheers, Pete Merrick -Original Message- From: ZOERNER, KENNETH R, ALBAS [mailto:[EMAIL PROTECTED]] Sent: Thursday, 17 January 2002 06:49 To: [EMAIL PROTECTED] Subject: SOCKS Question Does anybody out there know of a vendor who makes a SOCKS V5 compliant firewall appliance? Short of that, what software vendors sell SOCKS V5 server? Thanks. Kenneth R. Zoerner ATT Labs Firewall Development M, T, Th, F (847) 407-7609 W (847) 516-8630 Cell: (847) 226-7480 [EMAIL PROTECTED] Fax: (847) 407-7941 Pager: 1-888-858-7243 Pin: 116327 or [EMAIL PROTECTED] ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls __ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: HPUX Firewalls
speaking of NAI, does anyone know where gauntlet is going yet? I know its being sold, or has been sold, but nothing more than that. --- [EMAIL PROTECTED] wrote: Since NAI and CHKP is no longer supporting this platform. Can anyone recommend firewall software for the HP UX running 11.0 /thx /m ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls __ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: forwarding in interfaces ethernet
Well you left out some info. first off what are the security levels for ethernet2, and ethernet 3. Are you using syslog? what is the pix logging when you try the ping that fails? Also can you show all nat, global, and static rules for eth2, and eth3. --- Johnny Gonzalez [EMAIL PROTECTED] wrote: Hi. I have pix 525 with 4 ethernets. 1 ethernet= inside (10.10.10.1/24) 2 ethernet= real (IP internet z.x.w.q/24) 3 ethernet= outside (IP internet a.b.c.d/24) route default is a.b.c.x I have the next rules: conduit permit icmp any any nat (real) 0 z.x.w.r 255.255.255.255 the ethernet real is inside of my LAN: Internet---outsiderealinside-LAN The clients have ip 10.10.10.x and z.x.w.r/24 The clients no problem to internet. But I no see pings from 10.10.10.x to z.x.w.r/24 I see pings from internet to z.x.w.r/24 Whats is the problem?? Thanks for your help me. -- Johnny Gonzalez Dominguez Ingenieria de Software Telecable Morelos Cuernavaca, Morelos Tel. (52)(777)3292475 [EMAIL PROTECTED] [EMAIL PROTECTED] ICQ #75046976 ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls __ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: mutihomed machine route problem
If you really want some help on this you are going to have to post route info, and ip/network info. like what are all the network/netmask involved. Have you updated the firewall rules, what does you firewall log etc etc etc. ... so sleepy stimpy ... --- Michael Zhao [EMAIL PROTECTED] wrote: Hi , My former network structuer is as following : outside | fw | Cisco switches | | | WSs SRVs I want add another net segments to my net. I insert two NIC interfaces on my windows nt server 4.0 system ( sp 6a). One NIC connect to switches via the normal cable , and another one connect to a HUB where connected by some clients. I am sure I did the correct multihomed configuration . I test the routing using ping . I can ping the new clients from the old internal machines but can not do it vice versa. But I can ping both sides between fw and new clients . What can I do ? Could anybody give help ? Thanks Michael __ Do You Yahoo!? Check out Yahoo! Shopping and Yahoo! Auctions for all of your unique holiday gifts! Buy at http://shopping.yahoo.com or bid at http://auctions.yahoo.com ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: Static routes with PIX
the cheap way would be to add static routes on the servers in the dmz, and document it. --- Scott Pendergast [EMAIL PROTECTED] wrote: That would certainly explain what I've seen... Thanks! Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 15, 2001 10:31 AM To: Scott Pendergast Cc: '[EMAIL PROTECTED]' Subject: Re: Static routes with PIX The pix will not send traffic back out the same interface it recieved it on, it is considered a security issue. I ran into the same problem a year ago. A solution would be to place a router in the DMZ, and have all hosts point to that. Anything not staying in the DMZ would then be routed to the PIX, which would happily send it out to the 'net. On Thu, 15 Nov 2001, Scott Pendergast wrote: Greetings! I have a case where I want the PIX to forward traffic destined for a particular network to a router interface on the same dmz the PIX recieves this traffic on. ie, the dmz interface for the PIX is the default gateway for all hosts on that dmz. Most traffic goes on to the PIX's default route (the 'net), some goes through the PIX back to the inside hosts on which it was initiated (administrative traffic for instance), and some needs to go to a subnet that has vpn access to that dmz. After defining the static route in question, I can ping the destination from the PIX, but not from a host on the dmz subnet where I need it to work from. Since the router interface through which the target network is reachable is local to the dmz subnet in question, as a (hopefully temporary) work around I've added static routes for the destination on each host (yuk!) ex: dmz-xx 10.x.x.0/23 10.x.x.1 1 CONNECT static (the .1 address is the PIX interface itself) dmz-xx 10.x.y.0/23 10.x.x.z 1 OTHER static (the .z address is a router interface on the 10.x.x.0 through which 10.x.y.0 can be reached...) Any reason I shouldn't expect this to work? thanks! Scott ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls __ Do You Yahoo!? Find the one for you at Yahoo! Personals http://personals.yahoo.com ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: PIX 515 question
Can you give a little more info? This sounds like a DNS issue. Can you hit the real ip of the webserver? (not the nat ip). Also what is logged when you try? If so what is the hostname.domain for the site from the internet, and what is it for the internal network? Message: 7 From: =?iso-8859-1?B?RnLpZOlyaWMgTelkZXJ5?= [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: PIX 515 question Date: Wed, 14 Nov 2001 19:01:13 -0500 The network DMZ-PIX-LAN | | INTERNET We have a IIS web server inside the DMZ. I'm trying to access the web site (in the DMZ) from a station inside the LAN. We cannot access the web site. A guy told me that i was not possible (a NAT problem ?) with the pix or other ?) firewall. I Know that I can open port 80 from the lan to the DMZ instead of trying to go to internet to get to the DMZ web server but I'd like to understand why it's not possible. If You have some information it would be great ! Frederic ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls __ Do You Yahoo!? Find the one for you at Yahoo! Personals http://personals.yahoo.com ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: Tadpole Checkpoint
your running a firewall off a sparc laptop?? tadpole was the name of a company that made sun sparc laptops. I think there were bought by a company called RDI. --- Kim, Cameron [EMAIL PROTECTED] wrote: Guys, Thanks for all the great questions and answers. Just reading them has brought a whole new light on the way we work out firewalls here. Now I have a question and hopefully someone can shed some light here. We are moving ISP and we temporarily allowed the ISP to manage the firewall. They brought in this Firewall running checkpoint running on a Sun OEM box called Tadpole (?) . Anyone know of any good/bad info regarding this setup? Thanks! Cameron Kim Mitsubishi Digital Electronics America Voice: 949-465-6099 Fax: 949-465-6118 __ Do You Yahoo!? Find a job, post your resume. http://careers.yahoo.com ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
pix using udp port 0 for portmap
Has anyone noticed there pix using port 0 for udp portmap ? __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: CISCO VPN CONCENTRATOR, USE BEHIND A FIREWALL?
Or if you have the enough nics free put both vpn nics behind the firewall. exmple (firewall has 4 nics) outside, inside, dmz1 and dmz2. hope the diagram comes out ok. outside |/ Outside vpn nic. (dmz1) firewall |\ Inside vpn nic. (dmz2) inside This way you can keep state of all connections, vpn connections to the outside nic, and connections comming from the VPN to the internal network. You can also filter to you harts delight. NOTE: you do need to make sure you are not using auth header (proto 51 i think) because of nating issues. just open proto 50 and udp 500 to the vpn. If you can't setup a routable ip on the vpn's outside nic, then setup a static NAT from the outside to the vpn's outside nic. Also note that you will need to do NAT on the vpn to give a path for the internal network to route back though the vpn for remote user. just a thought... --- Brian Ford [EMAIL PROTECTED] wrote: Ivan, You are correct in that the VPN3015 does not currently have a stateful firewall. It does support access control lists. At this time there is no way to get through a VPN30xx concentrator other than using one of the VPN clients. To date there have been no compromises of that platform. I would suggest you look at installing the VPN3015 concentrator on a perimeter network off your existing firewall. That way the 3015 can be accessed by VPN clients on the Internet via it's own public IP address. Any attempts to get through the concentrator would need to pass through the firewall, so you can enforce policy on anything that comes through the concentrator. Liberty for All, Brian At 10:11 AM 10/16/2001 -0700, Ivan Lopez, TRI wrote: Message: 11 From: Ivan Lopez, TRI [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: CISCO VPN CONCENTRATOR, USE BEHIND A FIREWALL? Date: Tue, 16 Oct 2001 11:04:46 -0400 We recently bought a Cisco VPN Concentrator 3015. We've been told that since it does not have firewall capabilityes, it is Not safe to have it's outside interface on the Internet Side. Is that true? Do we need to put a firewall in front of it? In that case, wich ports need to be open? ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: CISCO VPN CONCENTRATOR, USE BEHIND A FIREWALL?
You could do this but if you did you would have to configure the firewall outside interface to pass VPN traffic. yes, and no. yes i am passing vpn traffic, but its not bound for the outside ip of the firewall, its bound for the static NAT rule, which xlats the external to the outside ip of the vpn (asumming the outside nic doesn't have a routable ip. If you configure the firewall to pass VPN traffic you lose the capability of using that outside firewall interface to terminate site to site VPN connections. Are you sure? I can't see any reason why this would be with the PIX. You could terminate one vpn to a static ip(as in using the static+conduit commands), and one to the outside nic's ip couldn't you? I can test this out if you like. I like leaving that capability available in case I have to build a site quickly. I don't like vpns on firewalls, for site to site it may not be that bad, but there is always the chance that the vpn can runaway with your cpu, and thus DoS your firewall, and affecting any traffic passing thought it. If its for general remote access then i would flat out not use it. If there is ever a problem vpn(say buffer over flow or something else nasty) who knows what could happen. worst case you are going into the office a 3am to upgrade/reinstall the firewall (eek!) (backups?...) For troubleshooting sake you might find yourself allowing the firewalls outside interface to respond to pings. which is default setup on the pix. This is in case a remote user wants to check to see if they can reach your site. Great for troubleshooting, I hate turning on ping for the firewalls outside interface. This is why you log everything. want to trouble shoot a connection issue. Look at the vpn logs, still nothing go to your log server and tail -f | egrep '(x\.x\.x\.x|y\.y\.y\.y)' (x being the vpn's ip, y being the remote vpns ip). You will find out what the problem is, and if the other side wants to know whats going paste the logs into an email. Problem solved. Thoughts? __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: CISCO VPN CONCENTRATOR, USE BEHIND A FIREWALL?
Well i like the fact that you still only have one access point, the firewall. You don't have to worry about the upstream router having a correct access-list. (deny anything, but ipsec traffic to and from the vpn). I can see where this goes totaly against K.I.S.S. but i still really like it. thanks for the link btw. --- Ben Nagy [EMAIL PROTECTED] wrote: G'day, I don't like the solution that loops the VPN traffic through the firewall twice. I can't see any real security gain, and there is a big complexity loss. If you were to use NAT, as bob suggested, then it's even worse, because you have all the VPN / NAT issues. Yes, the Cisco concentrators can use NAT-transparent mode, but that's an extra encapsulation, and should only be used when necessary. __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: PIX features
i missed the point of this at first, as i'm sure you can tell. --- Tony Rall [EMAIL PROTECTED] wrote: On Saturday, 2001/10/13 at 14:12 MST, bob bobing [EMAIL PROTECTED] wrote: Are you sure it can't find, deny, and log spoofed connections? http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/syslog/pixemapa.htm search for spoof... You're right, Pix 5.2 appears to have added support for blocking source addresses that aren't routed out the same interface they arrived on. Note that no machine can know for sure that a source address has been spoofed; the most it can conclude is that some addresses are not to be expected on some interfaces. __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: PIX features
Are you sure it can't find, deny, and log spoofed connections? http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/syslog/pixemapa.htm search for spoof... The only way I know of for a Pix, or any type of box, to identify spoofing is by filters that know which source addresses are permissible for incoming traffic on an interface. With some Cisco IOS versions (not available on Pix) you can use ip verify unicast reverse-path - a very nice trick that uses the box's routing table to determine whether to allow a source address. The address, when used as a destination, must be routed out the same interface it arrived on; else it gets discarded. Boxes without such a nice control have to have hardcoded access lists which statically permit only the source addresses that the admin thinks should be arriving on an interface. But that only works for interfaces which don't have a default route and that don't use dynamic routing (which is not, unfortunately, an issue on the Pix). If the Pix is connected to the Internet typically its outside interface will be configured with a default route. There is no way it can identify or block spoofed traffic arriving at such an interface (but it can, if so configured with access lists, block address ranges that it knows should never arrive on that interface, such as rfc1918 addresses and its own inside address ranges). My answer to the original question is that Pix cannot identify spoofing (but it can statically filter by address, which may be used to block spoofing in some cases). __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: NIMDA, Code Red, variants solution
Well before we get too deep into this, my question would be do you have you own connection to the internet, or is your internet connection through the parent company? --- ragu nandan [EMAIL PROTECTED] wrote: Hi We have a WAN with no Firewall between our company and our parent compnay. What is the best way to prevent infected machines from our side affecting their machines in the event of an outbreak. Short-term measures include putting access-list in our Routers and theirs. We need a pro-active proxy-kind-of-solution. ANy suggestions.? TIA Ragu __ Do You Yahoo!? NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: Accessing a small private network from two different subnets?
yes, both will work, but just adding a nic would be much cheaper. If money is an issue, just but a pro100+ off the shelf, it should work fine. I did some testing with a 525, and 5.2. installed 2 none cisco intel nics and the worked great. But if you plan on having more vendors and money isn't an issue i would get a new pix and use it just for vendor connections.. --- Harry Whitehouse [EMAIL PROTECTED] wrote: Hello All! I have a small private network (10.0.0.X) running behind a PIX 520 firewall. It's currently interfacing to a public www network (UUnet) and I'm using NAT to translate the public addresses to my private network. I only have two servers accessible from the outside via conduit statements one at 10.0.0.160 and one at 10.0.0.170. This all works great -- thanks to a lot of help folks on this firewall list! We have been approached by another party which wants access to a new server on our private network at 10.0.0.150. This new .150 server need NOT be accessed by the UUNet public network, but we do want it to be part of the 10.0.0.X private network. This party is also supplying a leased line to us with it's own network address space (let's say it's 56.100.200.X). So basically, I want to allow two network subnets to have selected access to my private 10.0.0.X network and I'm not sure how to do it. The problem *may* be simplified by the fact this this new party needs only to talk to 10.0.0.150 and not any other servers on the private network. Further, the .160 and .170 servers do not have to be accessible by this new party. I'm thinking there might be two approaches 1. Employ a third card in the existing PIX (e.g. a DMZ card) to interface the new 56.100.200.X network). 2. Install a second PIX on my private network, NAT'ing 56.100.200.150 to the 10.0.0.150 server. Will either of these approaches work? TIA Harry ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls __ Do You Yahoo!? NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
cisco 3k vpn + certs
Can anyone point me to some reading matrial on managing cert with the cisco's vpn 3000? I don't know if i want to do this or not, but even if i did i don't know pro/cons or how to handle it for a large user base (say 1000 users). Btw i would realy like to go open src, but that isn't a must. __ Do You Yahoo!? NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: FreeBSD firewall - how to redirect??
well you have many options with freebsd. 1. IPNAT using IPFILTER 2. NATD using IPFW 3. FTWK (/usr/ports/security/fwtk or /usr/ports/net/fwtk) This is basiclly a set of proxies. Lets go with ipfilter. First load the ipfilter module or build a kernel with it installed. kldload ipl will install the module. (Note: you will need to edit /etc/rc.conf to make ipfilter load on start up) man 5 ipnat to get info on how to setup nat rules man 5 ipf for the firewall rules. also there should be some examples in /usr/src/crontrib/ipfilter/rules basiclly it sounds like to need a bi direct nat rule (also known as static nat) it would look something like this. bimap $OUTSIDENIC 192.168.2.1 - $INTERNETIP I'm assuming 192.168.2.1 is the servers address. You can find many faq on ipfilter from a quick search on google. --- [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: aybe just my pain, but I am perusing everywhere (http://groups.google.com), also faq's, tutorials and so on, but I am not able to get a single reply (maybe I am too newbie even for the man pages - I cannot apply it to my question): I need to mount a server in a (sort of) dmz, serving http, pop3 and smtp for both sides of a firewall (the public and the private), like this: /internet/---/firewall/--- internal lan (192.168.1.0) | |-- /server(s) 192.168.2.0) any request to the external ip for any available service must be addressed to the 192.168.2.0. Also, any request from 192.168.1.0 *must* be addressed to the 192.168.2.0 Anybody please can point me out to any document, tutorial, easy-hands-on on the subject?? Even RTFM will help, *if* mentioning the correct expression which must be searched. saudações, irado furioso com tudo linux user 179402 deus é construído à imagem e semelhança do homem. Principalmente em seus defeitos. por favor, clique aqui: http://www.thehungersite.com e aqui também: http://cf6.uol.com.br/umminuto/ Nettaxi would like to ask for your help in donations to the RED CROSS today! http://www.nyredcross.org/donate/ ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls __ Do You Yahoo!? NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: Re[2]: Authenticated NAT
Well its not free, may not be very supportable, and i'm not sure if it support nt-auth, but i'll say it anyways :) Gauntlet has something called the circuit gateway (ck-gw). This will do what you want (auth to a dumb proxy). --- Nicola Cuomo [EMAIL PROTECTED] wrote: Hi, Saturday, September 29, 2001, 6:38:43 PM, you wrote: DB Proxy auth using squid? DB Use the NTLM features of squid auth Thank you. It's a solution. The problem is that the users need more than the http/ftp access granted by squid ( ssh, pop3, smtp, pptp, vnc, other??? ). Bye, bye. -- Nicola mailto:[EMAIL PROTECTED] ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls __ Do You Yahoo!? Listen to your Yahoo! Mail messages from any phone. http://phone.yahoo.com ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: Interesting pattern of port 524 probes.
could be the numda virus, have you scaned the machines in question. --- Michael Janke [EMAIL PROTECTED] wrote: We've been seeing and increasing number of probes on port 524 starting about a week ago. The probes appear to be coming from ordinary PC's, both internal and external to our network. The probes follow a regular pattern of 3 probes followed by DNS and Netbios lookups. The probes appear to scan their own class 'A' and 'B' more often than other networks, but will jump randomly a percentage of the time. The time between packets and the packet lengths are very consistent across many scans. Port 524 is normally used for Netware 5.x file services, but has also been associated with an old Linux vulnerability. I've isolated a single scan using Netflow data. Time SrcIPaddre SrcP DstIPaddress DstP Pr Pkts Octets 09:24:18 A1.29.208.155 1088 A1.29.237.94 524 TCP 3 144 09:24:28 A1.29.208.155 1089 A1.29.237.94 524 TCP 3 144 09:24:39 A1.29.208.155 1090 A1.29.237.94 524 TCP 3 144 09:24:52 A1.29.208.155 137 nameserver1 53 UDP 6 360 09:24:57 A1.29.208.155 137 nameserver2 53 UDP 6 360 09:25:01 A1.29.208.155 137 A1.29.237.94 137 UDP 3 234 09:25:12 A1.29.208.155 1093 A1.201.92.88 524 TCP 3 144 09:25:22 A1.29.208.155 1094 A1.201.92.88 524 TCP 3 144 09:25:33 A1.29.208.155 1095 A1.201.92.88 524 TCP 3 144 09:25:46 A1.29.208.155 137 nameserver1 53 UDP 6 360 09:25:51 A1.29.208.155 137 nameserver2 53 UDP 6 360 09:25:55 A1.29.208.155 137 A1.201.92.88 137 UDP 3 234 09:26:06 A1.29.208.155 1098 A1.29.241.245 524 TCP 3 144 09:26:16 A1.29.208.155 1099 A1.29.241.245 524 TCP 3 144 09:26:27 A1.29.208.155 1100 A1.29.241.245 524 TCP 3 144 09:26:40 A1.29.208.155 137 nameserver1 53 UDP 6 366 09:26:45 A1.29.208.155 137 nameserver2 53 UDP 6 366 09:26:49 A1.29.208.155 137 A1.29.241.245 137 UDP 3 234 09:27:00 A1.29.208.155 1103 A2.242.13.97 524 TCP 3 144 09:27:10 A1.29.208.155 1104 A2.242.13.97 524 TCP 3 144 09:27:21 A1.29.208.155 1105 A2.242.13.97 524 TCP 3 144 This is a new pattern to us. Has anybody seen anthing like it? --Mike - Michael Janke Director, Network Services Minnesota State Colleges and Universities - ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls __ Do You Yahoo!? Listen to your Yahoo! Mail messages from any phone. http://phone.yahoo.com ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: Interesting pattern of port 524 probes.
Well the scanning of local class A network, plus the fact that the src seems to be pc's (is this a fact?), and the number keeps increasing (assuming more sources), and its close to the time nimda started. Also i thought nimda also did netbios scans, or does it just open shares all over the place. Can't really explain 524... just a thought. --- Ron DuFresne [EMAIL PROTECTED] wrote: What makes you think nimda here? Are there any reports of nimda using other then e-mail and the web to pollinate? Thanks, Ron DuFresne On Mon, 1 Oct 2001, bob bobing wrote: could be the numda virus, have you scaned the machines in question. --- Michael Janke [EMAIL PROTECTED] wrote: We've been seeing and increasing number of probes on port 524 starting about a week ago. The probes appear to be coming from ordinary PC's, both internal and external to our network. The probes follow a regular pattern of 3 probes followed by DNS and Netbios lookups. The probes appear to scan their own class 'A' and 'B' more often than other networks, but will jump randomly a percentage of the time. The time between packets and the packet lengths are very consistent across many scans. Port 524 is normally used for Netware 5.x file services, but has also been associated with an old Linux vulnerability. I've isolated a single scan using Netflow data. Time SrcIPaddre SrcP DstIPaddress DstP Pr Pkts Octets 09:24:18 A1.29.208.155 1088 A1.29.237.94 524 TCP 3 144 09:24:28 A1.29.208.155 1089 A1.29.237.94 524 TCP 3 144 09:24:39 A1.29.208.155 1090 A1.29.237.94 524 TCP 3 144 09:24:52 A1.29.208.155 137 nameserver1 53 UDP 6 360 09:24:57 A1.29.208.155 137 nameserver2 53 UDP 6 360 09:25:01 A1.29.208.155 137 A1.29.237.94 137 UDP 3 234 09:25:12 A1.29.208.155 1093 A1.201.92.88 524 TCP 3 144 09:25:22 A1.29.208.155 1094 A1.201.92.88 524 TCP 3 144 09:25:33 A1.29.208.155 1095 A1.201.92.88 524 TCP 3 144 09:25:46 A1.29.208.155 137 nameserver1 53 UDP 6 360 09:25:51 A1.29.208.155 137 nameserver2 53 UDP 6 360 09:25:55 A1.29.208.155 137 A1.201.92.88 137 UDP 3 234 09:26:06 A1.29.208.155 1098 A1.29.241.245 524 TCP 3 144 09:26:16 A1.29.208.155 1099 A1.29.241.245 524 TCP 3 144 09:26:27 A1.29.208.155 1100 A1.29.241.245 524 TCP 3 144 09:26:40 A1.29.208.155 137 nameserver1 53 UDP 6 366 09:26:45 A1.29.208.155 137 nameserver2 53 UDP 6 366 09:26:49 A1.29.208.155 137 A1.29.241.245 137 UDP 3 234 09:27:00 A1.29.208.155 1103 A2.242.13.97 524 TCP 3 144 09:27:10 A1.29.208.155 1104 A2.242.13.97 524 TCP 3 144 09:27:21 A1.29.208.155 1105 A2.242.13.97 524 TCP 3 144 This is a new pattern to us. Has anybody seen anthing like it? --Mike - Michael Janke Director, Network Services Minnesota State Colleges and Universities - ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls __ Do You Yahoo!? Listen to your Yahoo! Mail messages from any phone. http://phone.yahoo.com ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls ~~ Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. __ Do You Yahoo!? Listen to your Yahoo! Mail messages from any phone. http://phone.yahoo.com ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: PIX and SSL need to configure?
Well it would be helpful if you could explain your setup a little more. Where is the MS Proxy (inside the pix?) most default pix setups have a permit any any for traffic comming from the inside going out. P.S. i don't know MS Proxy at all :) --- d d [EMAIL PROTECTED] wrote: Hi: I have a PIX 515, and need that a user of my LAN can access to a site via SSL, i need to configure the PIX?? what config i need to include? I have also a MS Proxy 2.0 server Thanks Desa _ Descargue GRATUITAMENTE MSN Explorer en http://explorer.msn.es/intl.asp ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls __ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: Borderware IPSec Client
It may be because of the type of ipsec connection you are using. I'm going to assume you are using NAT with the FW at work. I think you need to see if you are using AH (i think proto 51) AH doesn't like NAT (don't quote me on this:) ) i think because it takes a md5 checksum of the packet. So going on this nat would make an ipsec packet invalid because you just changed the src address. I've never used the borderware ipsec client, so i can't tell you what to look at per say, but see if there is an option to disable AH (Auth Header) --- Erwin Geirnaert [EMAIL PROTECTED] wrote: Hi guys I'm having problems with the Borderware IPSec Client. If I connect trough my cable provider at home, I can connect. At work it doesn't work, although the firewall allows my PC to connect. The fw is configured to allow IP protocol 50, IP protocol 51 and IKE. The IKE handshaking works and in the connection monitor I see the increase in secured packets/kb sent. What am I missing? TIA Erwin __ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: pix - no inbound conns
Well i think i has to do with you static line. your global address is 192.168.0.253, so your connections should be hitting that address, which the pix will xlate to 192.168.1.1. In your examples you are not sending icmp, you are sending udp, and you are pointing it to 192.168.1.1. So ether change your dst addr to 192.168.0.253, or change your static line to static (inside,outside) 192.168.1.1 192.168.1.1 netmask 255.255.255.255 xlate this ip to its self. -Original Message- From: Sven Jansen [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 8:32 PM To: [EMAIL PROTECTED] Subject: pix - no inbound conns Hello all, sorry, I forgot to mention the subject, so I send this mail a second time. I try to configure a PIX515, which has 2 interfaces. My problem is, that I cannot start any communication from the outside through the firewall. Outbound connections are no problem. These are some of the syslog messages: %PIX-6-305002: Translation built for gaddr 192.168.0.253 to laddr 192.168.1.1 %PIX-3-106010: Deny inbound udp src outside:192.168.0.3/1086 dst inside:192.168.1.1/53 %PIX-3-106010: Deny inbound udp src outside:192.168.0.2/1024 dst inside:192.168.1.1/69 So I tried it with DNS and TFTP, but also with some TCP ports. Besides, when I check the meaning of system log messages in the internet (cisco.com), it tells me that 106010 is an 'deny inbound icmp' message. Here is a sample of my config: PIX Version 6.0(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname pixfirewall fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names name 192.168.1.10 INTRANET name 192.168.0.10 DMZ access-list 110 permit icmp 192.168.1.0 255.255.255.0 any echo access-list 110 permit ip any any access-list 120 permit icmp any 192.168.0.0 255.255.255.0 echo-reply access-list 120 permit ip any any interface ethernet0 auto interface ethernet1 auto ip address outside DMZ 255.255.255.0 ip address inside INTRANET 255.255.255.0 global (outside) 1 192.168.0.200-192.168.0.252 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) 192.168.0.253 192.168.1.1 netmask 255.255.255.255 0 0 access-group 120 in interface outside access-group 110 in interface inside route outside 0.0.0.0 0.0.0.0 192.168.0.1 1 As you can see, after a while of testing, I decided to permit all ip traffic. The access-lists seem to work, because without the 'permit icmp' I cannot ping out. So there must be the connection between the interface and the acl. Another question I have is, I want to build a explicit trust relationship between two active directory domains through the firewall. Does anybody have a hint how that works? Thanks in advance for all help, Sven Jansen About Marconi Marconi plc is a global communications and IT company with around 45,000 employees world-wide. Marconi has research and development facilities in 19 countries, manufacturing operations in 16 countries, and serves customers in over 100 countries. Marconi offers total communications solutions, key technologies and services for the carriers, enterprise and the Internet. Marconi plc is listed on the London Stock Exchange and NASDAQ under the symbol MONI. The information contained in this e-mail is confidential. If you are not the intended recipient, you may not disclose or use the information in this e-mail or attached documents in any way and we ask that you please delete this e-mail. The views or opinions expressed are the author's own and may not reflect the views or opinions of Marconi. Marconi does not guarantee the integrity of any e-mails or attached files and we suggest you scan all incoming e-mails for viruses. ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls __ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: Pix Intrusion Detection
I was just about to plug snort :) --- Johnston Mark [EMAIL PROTECTED] wrote: But to send them it has to detect them right. My question is how is it detecting it. I managed to get something going now using the IP audit commands and am seeing some IDS warnings in the log such as ICMP. I have snort systems running, but am just curious about the PIX abilities. -Original Message- From: BorisP_Maillistdude [mailto:[EMAIL PROTECTED]] Sent: 17 September 2001 02:31 To: [EMAIL PROTECTED] Subject: RE: Pix Intrusion Detection PIX does only send events to IDS. Cisco has other products to take care of IDS-business. It wouldn't make much sense to run IDS on the same box as the firewall or even worse... have the firewall do IDS (formerly named NetRanger for example). Have a look at the following page: http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/ Pix sends Syslog messages ... and that's it. -- Boris Pavalec Geschäftsführer, VRP Network / System Engineer MCSE MCT HCS - Highend Computing Systems AG Hohlstrasse 216 CH-8004 Zürich Phone: + 41-1 240 29 50 Fax: + 41-1 240 29 59 eMail: [EMAIL PROTECTED] -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Johnston Mark Sent: Monday, September 17, 2001 1:22 PM To: [EMAIL PROTECTED] Subject: Pix Intrusion Detection Hi all, Do you know if the pix 6.0 has built in IDS capabilities ? I'm looking at the ip audit commands and am trying to figure out whats what. If it is can you please send me an example. In the mean time I'm going to battle on. Thanks Mark ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls __ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: WINS with PIX
From what i understand lmhosts is the quick and easy way to fix the broadcast netbios problem. NETBIOS name resolution (often confused with WINS) is broadcast-based --- Volker Tanger [EMAIL PROTECTED] wrote: Greetings! Johnston Mark schrieb: I have set up a PIX firewall with VPN capabilities. Everything seems to be working except for WINS. I dont want to go through the whole configuration, but I'm calling on anyone that has run into the same problem or can give me any pointers. Which WINS? I guess setting up a WINS server and pointing the clients to it should do the work. NETBIOS name resolution (often confused with WINS) is broadcast-based which probably does not across networks with different IP addresses (e.g. local 10.0.0.0/8, remote 192.168.0.0/16). Bye Volker -- Volker Tanger [EMAIL PROTECTED] Wrangelstr. 100, 10997 Berlin, Germany DiSCON GmbH - Internet Solutions http://www.discon.de/ ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls __ Do You Yahoo!? Get email alerts NEW webcam video instant messaging with Yahoo! Messenger http://im.yahoo.com ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
PIX nat w2k netbios
Ok in other parts of the network i don't have any problem with doing file xfers via netbios (with nt4.0) over a PIX using NAT with a global (dynamic nat). But on this one pix (same code rev) I can only have one file xfer per src ip. So i nat everyone to 1 address and this is what i see. Host A starts xfer to Server 1 Host B starts Xfer to Server 1 host A session gets reset (tcp reset) and it dies host C startx xfer to server 1 host B session get reset ... etc etc etc etc. Just to see if this was a PIX problem i stopped doing NAT for 3 hosts on the PIX, and started doing it on a router just before the PIX. Same thing. Also note, that if i don't nat 3 hosts so there src ip stays the same, then i don't have any problems. We also setup a NT4.0 workstation, and put it in the same place as the W2k servers, and didn't have any problems. .. .. .. ??? so i'm thinking its an MS issue, but i would like to see if anyone else has seen this. BTW if anyone knows, how would i debug file xfers on W2k? i don't have any info from the server. __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.]
PIX and rst codes.
Can someone tell me what the PIX means when it says TCP RST-O or TCP RST-I. I understand what a Reset is, i'm just not sure about the O or I. I didn't really see anything about this on the cisco website (maybe i missed it) so feel free to URL me. hope this turns out better than the PIX Load question.. __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: PIX Load
i'm running mrtg now, what mib should i be useing? --- Byron Kennedy [EMAIL PROTECTED] wrote: mrtg might help -Original Message- From: bob bobing [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 27, 2001 11:07 AM To: [EMAIL PROTECTED] Subject: PIX Load Can someone please tell me how to find out what the load on a PIX is? At what point do i say, ok this pix isn't cutting it anymore, i need a new Pix 535. (or just dump a new cpu in it :) ) btw i am not using any form of VPN with the PIX. __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/?.refer=text - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/?.refer=text - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
ftp server behind PIX, what PIXOS is safest?
I would like to put an ftp server behind a PIX (in a DMZ) and have a few questions. What code level (PIX IOS) is safe for this? I've seen posts that say 5.2.4 (I think, please correct me if i'm wrong) had some problems with flooding pasv ftp connections, not to mention the other ftp problems had in early version. Just want to see what everyone else is doing. Responses from cisco will be taken with a grain of salt :) __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]