Hi!
I'm currently using two Cisco PIXes (on failover) doing a very
simple job: static NAT.
Basically they do a static NAT for a public IP address and
translate it to a private internal IP address.
The access-list denies everything by default (because of the
security levels) and the incoming access-list only allows port 80.
I want to enable icmp:dest-unreachable messages to be forwarded to
the private machines on one way only (ie: internet->private).
So my question(s) are:
1) Is there any way on the PIX to specifify
dest-unreach:df-set-but-frag-needed only?
2) Can anybody think of the security implications of allowing
dest-unreach:* to the web servers (apart from a weird combo that would
crash the server itself).
3) Having an access-list that denies all outgoing (private-> internet)
traffic (the web servers should never connect on their own to the
internet, they only received connections), do you remember any ICMP
traffic that should be allowed from the web servers to the internet?
Thanks!
-- p.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
