From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Fri Mar 14 2008 - 19:20:53 ARST
1) Telnet *does* work for non-zero sec-level interfaces....this is common
observation for anyone who has ever visited the PIX/ASA CLI....but normally
people don't play with the sec-levels so much :)...so could be you might
have found a bug there and might require a reboot or clear local-host
[all]....remember 7.x code is pretty buggy
2) You are correct, you can change the default relationship between
nameif/interface (outside = 0 ) and (inside = 100). After all they are just
names? But if you don't configure any security-level, these are the
defaults. You could even setup internet and sec-lev 0 or vice-versa (as you
mentioned).
3) Perhaps it cares about the interface it receives MACs 'from', to learn
MAC identifies. Remember the Transparent PIX does not run any routing
protocols, so its not network-aware. For IP addresses within its own subnet
(which is same for both interfaces) it could always use ARP to see on which
interface it receives ARP replies (containing the appropriate MAC addr...).
I guess this has something to do with mac-learning (but I think this
requires the directly connected device to have proxy-arp enabled, or
appropriate routes should exist on the PIX/ASA). Even tough these routes are
for management traffic and things like URL filtering etc. it might be that
the firewall uses them to 'reach' this destination. But I'm not the
programmer type.....so i'll let it go :)
Regards
Farrukh (CCIE # 20184 - Security)
On Fri, Mar 14, 2008 at 11:56 PM, Carlos G Mendioroz <tron@huapi.ba.ar>
wrote:
> Inline...
>
> Farrukh Haroon @ 14/03/2008 17:37 -0200 dixit:
> > Carlos I'm afraid your findings are incorrect, one can telnet to
> security
> > level 90 or all the way upto sec-level 1 interfaces, as long as the
> > appropriate 'telnet <ip> <mask> <interface' command is there.
>
> Farrukh,
> may be my conclusion is wrong, but here's what I did:
>
> Pix 515 running 7.2, stock default config, eth1 as inside, 10.0.0.1/24.
> 1) Added telnet 10.0.0.0 255.0.0.0 inside and so was able to telnet from
> inside host 10.0.0.10
> 2) Changed sec level to 0, telnet connected but no prompt
> 3) Changed sec level to 100, telnet ok again
> 4) Changed to 50, telnet connected but no prompt
> 5) Changed to 90, still no go
> 6) Changed to name outside, and sec level to 100, telnet back ok.
>
> (At that time I had 2 outside interfaces, although eth0 was down.
>
> >
> > One cannot telnet to the outside (sec-level 0) interface. A VPN
> connection
> > needs to be setup in order to make that work. SSH works of course.
>
> The whole point of my argument is finding out what is outside.
> (If you are a programmer type, outside seems to be way overloaded)
>
> So please don't assume name and sec level go hand in hand!
> And I have read the way it is supposed to be (done). Was trying to
> reverse engineer the when it works "as advertised" so to say.
>
> > Regarding the original question, the 'nameif outside' command tells the
> > PIX/ASA which interface is the outside. For any nameif other than
> 'inside',
> > the OS automatically sets the security-level to 0 (this includes nameif
> > outside, dmz, internet, abcd etc).
>
> But you can change it back..., and the name will stick.
>
> >
> > "no takers on why transparent pix does PING destination to learn its
> mac?"
> >
> > Can you please clarify your question there? Are you referring to this:
> >
> >
> http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/bridga
> > rp.html#wp1039938
> >
> > "Packets for remote devices The security appliance generates a ping to
> the
> > destination IP address so that the security appliance can learn which
> > interface receives the ping reply."
> >
> > If Yes, then CCO answers your question: "so that the security appliance
> can
> > learn which interface receives the ping reply"
>
> I don't understand why it cares.
> And to send a ping, it would have to know routing, and use it's
> knowledge of routes instead of the original frame intended L2
> destination ??? The original frame had an intended L2 destination,
> why subverting it ? Why makes a difference if it's L3 destination is
> local or not ?
>
> >
> > Regards
> >
> > Farrukh (CCIE # 20184 - Security)
>
> -Carlos (CCIE #13838 R&S, CC*P, JNCIS, CCSI, student for life :)
>
> >
> > On Fri, Mar 14, 2008 at 9:55 PM, Carlos G Mendioroz <tron@huapi.ba.ar>
> > wrote:
> >
> >> You need, try it.
> >> Seeing I'm not the only one, I did lab it (7.2).
> >> And the answer is ... security_level <> 100.
> >>
> >> I made an interface "outside" and could login w/o trouble.
> >> But as soon as I changed the sec level to 90, the telnet connects
> >> but you get no service (i.e. no password or login prompt)
> >>
> >> So telnet only works on sec level 100 interfaces (wich is an ok
> >> policy for me!, just wanted to know it :)
> >>
> >> -Carlos
> >> P.S.
> >> no takers on why transparent pix does PING destination to learn its
> mac?
> >>
> >> Hoogen @ 14/3/2008 16:30 -0600 dixit:
> >>> I dont think you need an static nat statement...just enabling telnet
> on
> >> the
> >>> outside interface is good enough...
> >>>
> >>> Well Carlos you are right you can name anything you like to...outside
> is
> >>> just that mostly internet links are connected to...so the outside
> world
> >> can
> >>> access it..least secure zone..usually zero...But you can even name it
> >>> internet give it a security level of 30 too...just have to remember
> that
> >>> your more secure zones...servers placed in dmz or your internal lan
> >> inside
> >>> zones need to have more security level..and not lesser than the
> outside
> >> or
> >>> internet zone...
> >>>
> >>> -Hoogen
> >>>
> >>>
> >>> On 3/14/08, Tony Varriale <tvarriale@flamboyaninc.com> wrote:
> >>>> The nameif command and the security-level.
> >>>>
> >>>>
> >>>> Tony
> >>>>
> >>>> -----Original Message-----
> >>>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> >>>> Carlos G Mendioroz
> >>>> Sent: Friday, March 14, 2008 11:59 AM
> >>>> To: ccielab@groupstudy.com
> >>>> Subject: OT?: What makes the outside interface "outside" ?
> >>>>
> >>>> Pixen do not allow telnet to the outside interface w/o ipsec.
> >>>> There are a number of ways out (ipsec, static to inside, etc).
> >>>>
> >>>> But what makes an interface an "outside" interface ? The name ?
> >>>> The sec level ? Just curious if somebody knows (and lazy to go
> >>>> and lab it up!)
> >>>>
> >>>> Regards,
> >>>> -Carlos
> >>>> --
> >>>> Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina
> >>>>
> >>>>
> _______________________________________________________________________
> >>>> Subscription information may be found at:
> >>>> http://www.groupstudy.com/list/CCIELab.html
> >>>>
> >>>>
> _______________________________________________________________________
> >>>> Subscription information may be found at:
> >>>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> >> --
> >> Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>
> --
> Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina
This archive was generated by hypermail 2.1.4 : Tue Apr 01 2008 - 07:53:53 ART