Search This Blog

Sunday, August 26, 2007

firewall-wizards Digest, Vol 16, Issue 13

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Cisco PIX 501 Help (kevin horvath)


----------------------------------------------------------------------

Message: 1
Date: Sat, 25 Aug 2007 22:26:13 -0400
From: "kevin horvath" <kevin.horvath@gmail.com>
Subject: Re: [fw-wiz] Cisco PIX 501 Help
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<5c41be6e0708251926q57f2ecbdg1cc94221abf9286e@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8

> Have just been given a couple of 501's to setup at work. Basic
> configuration has been performed, and that is working fine. The question
> I have is whether there is anyway to setup 100+ statics, one to one,
> port mappings using object groups ? My IP setup is as follows :-


Yes just designate a class C (or cut up the class C to reduce the
number as you see fit) to map to another class see so you have only
one static entry.
ex:
static (inside,outside) 10.7.152.0 10.6.0.0 netmask 255.255.255.0
also if you want to do this with

>
> outside -> inside -> host
> 10.7.152.2 -> 10.6.0.200 -> 10.6.0.202
>
> I have a application that uses 30 ports, plus X11, plus remove support
> via PCanywhere. I have created the ACLs using object groups, but I
> don't really fancy setting up individual TCP/UDP static entries.
>
> If I use something like :-
>
> static (inside,outside) interface 10.6.0.202 netmask 255.255.255.255 0 0
>
> Then the outside interface SSH server will not work as all traffic gets
> mapped through too the inside interface :( Obviously we need to support
> via the outside interface, so is there anyway around it ?

You typically would only map to the outside interface if you only had
one ip that you could use such as in the case of a home set up. Such
as in the case where your ISP has given you only one public IP and you
PAT all your internal IPs to. Which this doesnt seem to be your
issue. With that assumption just assign allow ssh to your outside
interface with the ssh command from whatever block you want to allow
ex: ssh x.x.x.0 255.255.255.0 outside (x.x.x.0 is whatever ip range
you want to allow in)
This will allow ssh to the ip assigned on your outside interface.
Then to allow access to your sever and to the 100+ ips do the static
command to mapping 128 ips to each other
ex: static (inside,outside) 10.7.152.128 10.6.0.128 netmask 255.255.255.0

>
> Could I put the SSH on the inside interface and then do something like
> :-
>
> static (inside,outside) interface 2222 10.6.0.202 22 netmask
> 255.255.255.255 0 0
>
> so that we just have to connect too port 2222 instead and that will map
> it through so we can administer the PIX ?

yes but then you will have to static PAT everything which is a pain
and if you have the IP space on your outside then go with my
suggestion above.


>
> I see on our IOS that we can use access-list on the static mapping, is
> this a potential use ?


no, this is called policy NAT but this would not allow a connection
initiated from a lower security interface (outside) to a higher
security (interface).

>
> Hope my explanation makes sense ?

pretty much but please verify that you have more than one IP available
to you on you outside interface. If so then go with my suggestions
above. If not then you will need to go with static PAT (ie port
forwarding)

>
> Regards,
>
> --[ UxBoD ]--
> // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import"
> // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B
> // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B
> // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
> This message is intended only for the person(s) to which it is addressed
> and may contain privileged, confidential and/or insider information.
> If you have received this communication in error, please notify us
> immediately by replying to the message and deleting it from your computer.
> Any disclosure, copying, distribution, or the taking of any action concerning
> the contents of this message and any attachment(s) by anyone other
> than the named recipient(s) is strictly prohibited.
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 16, Issue 13
************************************************

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)