From: NoOne Important (lm_nguyen@xxxxxxxxxxx)
Date: Tue Feb 13 2001 - 16:53:29 GMT-3
You don't have to explicitly permit from the desire source network do you?
What exactly do you mean anyway? have to use the network and wildcard
instead of any? I've been working on these CBAC for a couple of days
now...pretty cool stuff like you said.
In Sam case he inspect traffic going out his ethernet and he has no
access-list out pretty much means he will inspect everythings coming out
except icmp among other things...When traffic comes out, the router will
check the access-list, and since no access-list define everything will get
out. Dynamic access-list will be created applying to the inbound
access-list to create hole for returning traffic.
audit trail will show what's going on. show ip inspect session detail
will show how many dyn acls created...etc and what traffics get inspected.
The bad thing is that CBAC only has a few entry...if you do tcp pretty
inspect every tcp session unless you define an access-list to block unwanted
traffics before they get to the inspect part....I am still learning about
these so if anyone has any cool tricks...etc please let me know
I am also interested to learn more about other tcp options like timeout,
half-open..etc. anyone played with these enough to know what's good?
or just use the default parameter on the router?
Regards,
NI
>From: Ron.Fuller@3x.com
>To: "Sam Munzani" <sam@munzani.com>
>CC: ccielab@groupstudy.com, "NoOne Important" <lm_nguyen@hotmail.com>,
>nobody@groupstudy.com
>Subject: Re: CISCO FW IOS with allowing SSH to it from outside
>Date: Tue, 13 Feb 2001 14:31:04 -0500
>
>
>The IOS FW is similar in that it is a stateful firewall, but it does allow
>telnet from the outside. You need to explicitly permit telnet from the
>desired source network to the host address of the outside interface using
>the access-list you create. The IOS FW uses the access-list as a starter
>for adding the dynamic entries for return traffic it inspects as it goes
>out. Pretty cool stuff, I think. Good, cheap firewall for the masses. :)
>
>Ron Fuller, CCIE #5851, CCDP, CCNP-ATM, CCNP-Security, CCNP-Voice, MCNE
>3X Corporation
>rfuller@3x.com
>
>
>
> "Sam Munzani"
> <sam@munzani. To: "NoOne Important"
><lm_nguyen@hotmail.com>,
> com> <ccielab@groupstudy.com>
> Sent by: cc:
> nobody@groups Subject: Re: CISCO FW IOS
>with allowing SSH to it from outside
> tudy.com
>
>
> 02/13/2001
> 01:42 PM
> Please
> respond to
> "Sam Munzani"
>
>
>
>
>
>
>I am just curious if FW IOS behaves just like PIX for management. On PIX
>you
>can't telnet from outside interface at all. IOS FW does stateful inspection
>same way as PIX. This could be a security feature. Is Any body out there
>able to telnet to a IOS FW router from internet?
>
>Sam
>
> > uhm
> > we overlooked the fact that you didn't put log or log-input after your
> > telnet and ssh and only on the deny statement.
> >
> >
> >
> > >From: "Sam Munzani" <sam@munzani.com>
> > >Reply-To: "Sam Munzani" <sam@munzani.com>
> > >To: "NoOne Important" <lm_nguyen@hotmail.com>, <ccielab@groupstudy.com>
> > >Subject: Re: CISCO FW IOS with allowing SSH to it from outside
> > >Date: Tue, 13 Feb 2001 12:28:31 -0600
> > >
> > >You are right. xxx.xxx.xxx.xxx is my ethernet ip addr. The funny thing
>is,
> > >Nothing is captured in log file. If I try to ping any internal host
>form
> > >outside, that gets logged but not my telnet or SSH attempts.
> > >
> > >Sam
> > >
> > > > xxxxxxxxxx i assume is your ethernet address? if so, i
> > > > dun really see what's wrong maybe check typos check to see if
>there's
> > >any
> > > > access-group define under vty...check routing...etc see if there is
>any
> > > > other access-list block the traffic before it even get there
> > > > turn on loggin console and see what happen when telnet or ssh to the
> > > > router....
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > >From: "Sam Munzani" <sam@munzani.com>
> > > > >Reply-To: "Sam Munzani" <sam@munzani.com>
> > > > >To: <ccielab@groupstudy.com>
> > > > >Subject: CISCO FW IOS with allowing SSH to it from outside
> > > > >Date: Tue, 13 Feb 2001 11:19:58 -0600
> > > > >
> > > > >Hi Group,
> > > > >
> > > > >I installed CISCO FW ios with CBAC commands standard configuration.
>=
> > > > >Works great and for management, I cam telnet and SSH to the box
>from
>=
> > > > >internal network. Following access is applied to the outside
>interface.
> > > > >
> > > > >access-list 100 permit tcp any host xxx.xxx.xxx.xxx eq 22
> > > > >access-list 100 permit tcp any host xxx.xxx.xxx.xxx eq 23
> > > > >access-list 100 deny ip any any log
> > > > >
> > > > >ip inspect name test_fw tcp
> > > > >ip inspect name test_fw udp
> > > > >ip inspect name test_fw cuseeme
> > > > >ip inspect name test_fw ftp
> > > > >ip inspect name test_fw h323
> > > > >ip inspect name test_fw rcmd
> > > > >ip inspect name test_fw realaudio
> > > > >ip inspect name test_fw smtp
> > > > >ip inspect name test_fw streamworks
> > > > >ip inspect name test_fw vdolive
> > > > >ip inspect name test_fw sqlnet
> > > > >ip inspect name test_fw tftp
> > > > >
> > > > >
> > > > >int e0/0
> > > > >Descr Outside interface
> > > > >ip address xxx.xxx.xxx.xxx 255.255.255.0
> > > > >ip inspect test_fw out
> > > > >ip access-group 100 in
> > > > >
> > > > >Telnet & SSH works fine from inside but not form outside. Any =
> > > > >suggestions?
> > > > >
> > > > >Regards,
> > > > >
> > > > >Sam Munzani
> > > > >CCIE # 6479, CCNP, CCDP, MCSE, CNE 5, SCO Master ACE, HP Openview =
> > > > >Consultant
> > > > >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:47 GMT-3