you should be ok as long as you do static nat (1 to 1
mapping) and don't use AH (protocol 51 i think).
AH takes a md5 snap shot of the packet, so when the
packet get the ip changed (from nat) it fails the
crypto ckecksum test. Also you will need to pass udp
500 and protocol 50 (ESP (not port
are you saying the client was able to connect but then
would get disconnected after being logged on the
network? sounds like you may be dropping packets
somewhere. Have you looked for interface errors on the
pix, or maybe the uplink?
BTW using the cisco client and making the users use a
terminal
*plug*
openbsd's PF can do this also (see modulate state).
*plug*
AFAIK the Cisco PIX will randomize TCP ISN numbers
What makes yours unique ?
Thanks,
Rafi
--
Rafi Sadowsky
[EMAIL PROTECTED]
Network Operations Center | VoiceMail:
What IKE daemon does netbsd use? If its isakmpd i may
be able to help you out with it.
--- [EMAIL PROTECTED] wrote:
Does anyone know how to set-up a vpn between pix and
netbsd ?
Mil -
ou never know how many friends you have until you
rent a place at the
beach
-Original
Just a FYI, bgp seems to be about the only protocol
you can pass through a pix without some nasty GRE
tunnel.
--- Jason Ostrom [EMAIL PROTECTED] wrote:
Burke,
What have you attempted so far in order to resolve
and on which
devices, the PIX or upstream/downstream router?
The PIX
and distribute lists to control route
advertisement between the
segments. HTH.
Ken Claussen MCSE CCNA CCA
In Theory it should work as you describe, but the
difference between
theory and reality is the truth! For this we all
strive
-Original Message-
From: bob bobing [mailto:[EMAIL
Well so far there are 3 main stream firewall packages
for bsd (that ship with the OS).
IPFW (ip firewall)
IPF (ip filter)
PF (packet filter)
IPFW comes with FreeBSD.
IPF runs on any BSD (Free,Net,Open*,BSD/OS)
PF comes with OpenBSD.
My own taste would be ipf, but i really like some of
the
Care to explain your statement?
You can't make it do the _same_ stateful inspection
as the PIX does, and you
can't make it achieve the same prestanda without
using a more powerful machine,
__
Do You Yahoo!?
Yahoo! Movies - coverage of the
still waiting :)
Just wondering where you are going with this.
--- bob bobing [EMAIL PROTECTED] wrote:
Care to explain your statement?
You can't make it do the _same_ stateful
inspection
as the PIX does, and you
can't make it achieve the same prestanda without
using a more powerful
2. ok problem here. Gauntlet NT (and only NT) can't
bind proxies to ips. This really hoses the whole proxy
formula i think :).
--- Ben Nagy [EMAIL PROTECTED] wrote:
OK, a couple of quick points...
1. Gauntlet 5.5 on NT is unstable and weird. Try
reinstalling the
product from scratch -
PGP Key ID: 0x1A86E304
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf
Of bob bobing
Sent: Wednesday, March 06, 2002 12:04 PM
To: [EMAIL PROTECTED]
Subject: RE: Gauntlet NAT issues
2. ok problem here. Gauntlet NT (and only NT
Netscreen¡¯s Perofmance should be examined in the
real network, as it shows quite different
performance.
What do you mean by this? do you mean its slower or
faster (yea right) than what they (being netscreen)
say?
--- Pico GOH [EMAIL PROTECTED] wrote:
Netscreen is quite simple firewall, it
:
On 26 Feb 2002, at 6:51, Dell, Jeffrey wrote:
This is a code issue. With version 3.1 you will be
able to do
this, but currently 3.1 is only for the
Netscreen-25 and 50.
-Original Message-
From: bob bobing [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 26, 2002 2:04 AM
.
-Original Message-
From: bob bobing [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 26, 2002 2:04 AM
To: [EMAIL PROTECTED]
Subject: netscreen dip question.
well after almost a week of playing phone tag with
netscreen support I'm going ask here, because i
still
don't have any
well after almost a week of playing phone tag with
netscreen support I'm going ask here, because i still
don't have any answer. Using a netscreen 10 is there
any way to setup a mip on the dmz? To the rest of the
world this means a static nat (netscreen must have
asked the linux folks for some
please paste the output of ipfstat -i -h, ipnat -l and
the contens of your ipfrules file, and ipnatrules
file.
Just an FYI, ipnat happens before ipf, so your rules
need to be written post nat.
--- irado furioso com tudo [EMAIL PROTECTED] wrote:
Bruno Fernandes wrote:
note: even
PROTECTED] wrote:
bob bobing wrote:
please paste the output of ipfstat -i -h, ipnat -l
and
the contens of your ipfrules file, and ipnatrules
file.
Just an FYI, ipnat happens before ipf, so your
rules
need to be written post nat
I seem to remember seeing that 6.x had support for
port redirecting, have you looked for this/at this?
--- Noonan, Wesley [EMAIL PROTECTED] wrote:
As soon as I add a static mapping (for whatever
reason), the PIX stops
passing all outbound traffic except that traffic
from the IP address in
before i try to reinvent the wheel i thought i would
ask around about this. Is there anything out there
that will get all forms of access lists from a pix,
add them to so some kind of data base (daily). Once
received do some checks to see if anything has been
added (email alert if something has),
you could also pick any proxy based firewall out
there, and just install NEC's socks5 proxy (does cost
money)
www.socks.nec.com
--- Peter Merrick
[EMAIL PROTECTED] wrote:
Hi Kenneth
Not 100% sure about SOCKS complianty firewall
appliances, but the Permeo
e-border products
speaking of NAI, does anyone know where gauntlet is
going yet? I know its being sold, or has been sold,
but nothing more than that.
--- [EMAIL PROTECTED] wrote:
Since NAI and CHKP is no longer supporting this
platform. Can anyone
recommend firewall software for the HP UX running
11.0
Well you left out some info. first off what are the
security levels for ethernet2, and ethernet 3. Are you
using syslog? what is the pix logging when you try the
ping that fails?
Also can you show all nat, global, and static rules
for eth2, and eth3.
--- Johnny Gonzalez [EMAIL PROTECTED] wrote:
If you really want some help on this you are going to
have to post route info, and ip/network info.
like what are all the network/netmask involved. Have
you updated the firewall rules, what does you firewall
log etc etc etc.
... so sleepy stimpy ...
--- Michael Zhao [EMAIL PROTECTED] wrote:
Hi
the cheap way would be to add static routes on the
servers in the dmz, and document it.
--- Scott Pendergast [EMAIL PROTECTED]
wrote:
That would certainly explain what I've seen...
Thanks!
Scott
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
Sent:
Can you give a little more info? This sounds like a
DNS issue. Can you hit the real ip of the webserver?
(not the nat ip). Also what is logged when you try? If
so what is the hostname.domain for the site from the
internet, and what is it for the internal network?
Message: 7
From:
your running a firewall off a sparc laptop??
tadpole was the name of a company that made sun sparc
laptops. I think there were bought by a company called
RDI.
--- Kim, Cameron [EMAIL PROTECTED] wrote:
Guys,
Thanks for all the great questions and answers. Just
reading them has
brought a
Has anyone noticed there pix using port 0 for udp
portmap ?
__
Do You Yahoo!?
Make a great connection at Yahoo! Personals.
http://personals.yahoo.com
___
Firewalls mailing list
[EMAIL PROTECTED]
Or if you have the enough nics free put both vpn nics
behind the firewall.
exmple (firewall has 4 nics) outside, inside, dmz1 and
dmz2. hope the diagram comes out ok.
outside
|/ Outside vpn nic. (dmz1)
firewall
|\ Inside vpn nic. (dmz2)
inside
This way you can keep state of all
You could do this but if you did you would have to
configure the firewall
outside interface to pass VPN traffic.
yes, and no. yes i am passing vpn traffic, but its not
bound for the outside ip of the firewall, its bound
for the static NAT rule, which xlats the external to
the outside ip of
Well i like the fact that you still only have one
access point, the firewall. You don't have to worry
about the upstream router having a correct
access-list. (deny anything, but ipsec traffic to and
from the vpn). I can see where this goes totaly
against K.I.S.S. but i still really like it.
i missed the point of this at first, as i'm sure you
can tell.
--- Tony Rall [EMAIL PROTECTED] wrote:
On Saturday, 2001/10/13 at 14:12 MST, bob bobing
[EMAIL PROTECTED] wrote:
Are you sure it can't find, deny, and log spoofed
connections?
http://www.cisco.com/univercd/cc/td/doc
Are you sure it can't find, deny, and log spoofed
connections?
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/syslog/pixemapa.htm
search for spoof...
The only way I know of for a Pix, or any type of
box, to identify spoofing
is by filters that know which source addresses
Well before we get too deep into this, my question
would be do you have you own connection to the
internet, or is your internet connection through the
parent company?
--- ragu nandan [EMAIL PROTECTED] wrote:
Hi
We have a WAN with no Firewall between our
company
and our parent compnay. What
yes, both will work, but just adding a nic would be
much cheaper. If money is an issue, just but a pro100+
off the shelf, it should work fine. I did some testing
with a 525, and 5.2. installed 2 none cisco intel nics
and the worked great.
But if you plan on having more vendors and money isn't
an
Can anyone point me to some reading matrial on
managing cert with the cisco's vpn 3000? I don't know
if i want to do this or not, but even if i did i don't
know pro/cons or how to handle it for a large user
base (say 1000 users). Btw i would realy like to go
open src, but that isn't a must.
well you have many options with freebsd.
1. IPNAT using IPFILTER
2. NATD using IPFW
3. FTWK (/usr/ports/security/fwtk or
/usr/ports/net/fwtk)
This is basiclly a set of proxies.
Lets go with ipfilter.
First load the ipfilter module or build a kernel with
it installed. kldload ipl will install
Well its not free, may not be very supportable, and
i'm not sure if it support nt-auth, but i'll say it
anyways :)
Gauntlet has something called the circuit gateway
(ck-gw). This will do what you want (auth to a dumb
proxy).
--- Nicola Cuomo [EMAIL PROTECTED] wrote:
Hi,
Saturday, September
could be the numda virus, have you scaned the machines
in question.
--- Michael Janke [EMAIL PROTECTED] wrote:
We've been seeing and increasing number of probes on
port 524
starting about a week ago.
The probes appear to be coming from ordinary PC's,
both internal and
external to our
.
Can't really explain 524...
just a thought.
--- Ron DuFresne [EMAIL PROTECTED] wrote:
What makes you think nimda here? Are there any
reports of nimda using
other then e-mail and the web to pollinate?
Thanks,
Ron DuFresne
On Mon, 1 Oct 2001, bob bobing wrote:
could
Well it would be helpful if you could explain your
setup a little more. Where is the MS Proxy (inside the
pix?) most default pix setups have a permit any any
for traffic comming from the inside going out.
P.S. i don't know MS Proxy at all :)
--- d d [EMAIL PROTECTED] wrote:
Hi:
I have a
It may be because of the type of ipsec connection you
are using. I'm going to assume you are using NAT with
the FW at work. I think you need to see if you are
using AH (i think proto 51) AH doesn't like NAT (don't
quote me on this:) ) i think because it takes a md5
checksum of the packet. So
Well i think i has to do with you static line. your
global address is 192.168.0.253, so your connections
should be hitting that address, which the pix will
xlate to 192.168.1.1.
In your examples you are not sending icmp, you are
sending udp, and you are pointing it to 192.168.1.1.
So ether
I was just about to plug snort :)
--- Johnston Mark [EMAIL PROTECTED] wrote:
But to send them it has to detect them right. My
question is how is it
detecting it. I managed to get something going now
using the IP audit
commands and am seeing some IDS warnings in the log
such as ICMP.
I
From what i understand lmhosts is the quick and easy
way to fix the broadcast netbios problem.
NETBIOS name resolution (often confused with WINS)
is broadcast-based
--- Volker Tanger [EMAIL PROTECTED] wrote:
Greetings!
Johnston Mark schrieb:
I have set up a PIX firewall with VPN
Ok in other parts of the network i don't have any
problem with doing file xfers via netbios (with nt4.0)
over a PIX using NAT with a global (dynamic nat). But
on this one pix (same code rev) I can only have one
file xfer per src ip. So i nat everyone to 1 address
and this is what i see.
Host A
Can someone tell me what the PIX means when it says
TCP RST-O or TCP RST-I. I understand what a Reset is,
i'm just not sure about the O or I. I didn't really
see anything about this on the cisco website (maybe i
missed it) so feel free to URL me.
hope this turns out better than the PIX Load
i'm running mrtg now, what mib should i be useing?
--- Byron Kennedy [EMAIL PROTECTED] wrote:
mrtg might help
-Original Message-
From: bob bobing [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, March 27, 2001 11:07 AM
To: [EMAIL PROTECTED]
Subject: PIX Load
Can someone please tell
I would like to put an ftp server behind a PIX (in a
DMZ) and have a few questions. What code level (PIX
IOS) is safe for this? I've seen posts that say 5.2.4
(I think, please correct me if i'm wrong) had some
problems with flooding pasv ftp connections, not to
mention the other ftp problems had
48 matches
Mail list logo