Re: What makes the outside interface "outside" ?

From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Fri Mar 14 2008 - 17:37:31 ARST

• Next message: A.G. Ananth Sarma (GMail): "Re: Cleared my R&S Lab and strategy tips."
• Previous message: Shine Joseph: "RE: Need help on BGP"
• Maybe in reply to: Carlos G Mendioroz: "Re: What makes the outside interface "outside" ?"
• Next in thread: Carlos G Mendioroz: "Re: What makes the outside interface "outside" ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Carlos I'm afraid your findings are incorrect, one can telnet to security
level 90 or all the way upto sec-level 1 interfaces, as long as the
appropriate 'telnet <ip> <mask> <interface' command is there.

One cannot telnet to the outside (sec-level 0) interface. A VPN connection
needs to be setup in order to make that work. SSH works of course.

Regarding the original question, the 'nameif outside' command tells the
PIX/ASA which interface is the outside. For any nameif other than 'inside',
the OS automatically sets the security-level to 0 (this includes nameif
outside, dmz, internet, abcd etc).

"no takers on why transparent pix does PING destination to learn its mac?"

Can you please clarify your question there? Are you referring to this:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/bridga
rp.html#wp1039938

"Packets for remote devicesThe security appliance generates a ping to the
destination IP address so that the security appliance can learn which
interface receives the ping reply."

If Yes, then CCO answers your question: "so that the security appliance can
learn which interface receives the ping reply"

Regards

Farrukh (CCIE # 20184 - Security)

On Fri, Mar 14, 2008 at 9:55 PM, Carlos G Mendioroz <tron@huapi.ba.ar>
wrote:

> You need, try it.
> Seeing I'm not the only one, I did lab it (7.2).
> And the answer is ... security_level <> 100.
>
> I made an interface "outside" and could login w/o trouble.
> But as soon as I changed the sec level to 90, the telnet connects
> but you get no service (i.e. no password or login prompt)
>
> So telnet only works on sec level 100 interfaces (wich is an ok
> policy for me!, just wanted to know it :)
>
> -Carlos
> P.S.
> no takers on why transparent pix does PING destination to learn its mac?
>
> Hoogen @ 14/3/2008 16:30 -0600 dixit:
> > I dont think you need an static nat statement...just enabling telnet on
> the
> > outside interface is good enough...
> >
> > Well Carlos you are right you can name anything you like to...outside is
> > just that mostly internet links are connected to...so the outside world
> can
> > access it..least secure zone..usually zero...But you can even name it
> > internet give it a security level of 30 too...just have to remember that
> > your more secure zones...servers placed in dmz or your internal lan
> inside
> > zones need to have more security level..and not lesser than the outside
> or
> > internet zone...
> >
> > -Hoogen
> >
> >
> > On 3/14/08, Tony Varriale <tvarriale@flamboyaninc.com> wrote:
> >> The nameif command and the security-level.
> >>
> >>
> >> Tony
> >>
> >> -----Original Message-----
> >> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> >> Carlos G Mendioroz
> >> Sent: Friday, March 14, 2008 11:59 AM
> >> To: ccielab@groupstudy.com
> >> Subject: OT?: What makes the outside interface "outside" ?
> >>
> >> Pixen do not allow telnet to the outside interface w/o ipsec.
> >> There are a number of ways out (ipsec, static to inside, etc).
> >>
> >> But what makes an interface an "outside" interface ? The name ?
> >> The sec level ? Just curious if somebody knows (and lazy to go
> >> and lab it up!)
> >>
> >> Regards,
> >> -Carlos
> >> --
> >> Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>
> --
> Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: A.G. Ananth Sarma (GMail): "Re: Cleared my R&S Lab and strategy tips."
• Previous message: Shine Joseph: "RE: Need help on BGP"
• Maybe in reply to: Carlos G Mendioroz: "Re: What makes the outside interface "outside" ?"
• Next in thread: Carlos G Mendioroz: "Re: What makes the outside interface "outside" ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Apr 01 2008 - 07:53:53 ART