Re: What makes the outside interface "outside" ?
From: Carlos G Mendioroz (tron@huapi.ba.ar)
Date: Sat Mar 15 2008 - 12:35:59 ARST
Just for the record, I repeated the test of taking an
inside interface to a level <> 100 and that locks telnet out.
pixfirewall(config-if)# sh run int
!
interface Ethernet0
nameif inside
security-level 50
ip address 192.168.100.21 255.255.0.0
!
interface Ethernet1
shutdown
no nameif
no security-level
no ip address
pixfirewall(config-if)# sh run telnet
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 5
pixfirewall(config-if)# sh ver
Cisco PIX Security Appliance Software Version 7.2(2)
Compiled on Wed 22-Nov-06 14:16 by builders
System image file is "flash:/pix722.bin"
Config file at boot was "startup-config"
pixfirewall up 15 hours 22 mins
Hardware: PIX-515, 128 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB
-Carlos
Farrukh Haroon @ 14/03/2008 17:37 -0200 dixit:
> Carlos I'm afraid your findings are incorrect, one can telnet to security
> level 90 or all the way upto sec-level 1 interfaces, as long as the
> appropriate 'telnet <ip> <mask> <interface' command is there.
>
> One cannot telnet to the outside (sec-level 0) interface. A VPN connection
> needs to be setup in order to make that work. SSH works of course.
>
> Regarding the original question, the 'nameif outside' command tells the
> PIX/ASA which interface is the outside. For any nameif other than 'inside',
> the OS automatically sets the security-level to 0 (this includes nameif
> outside, dmz, internet, abcd etc).
>
> "no takers on why transparent pix does PING destination to learn its mac?"
>
> Can you please clarify your question there? Are you referring to this:
>
> http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/bridga
> rp.html#wp1039938
>
> "Packets for remote devices�The security appliance generates a ping to the
> destination IP address so that the security appliance can learn which
> interface receives the ping reply."
>
> If Yes, then CCO answers your question: "so that the security appliance can
> learn which interface receives the ping reply"
>
> Regards
>
> Farrukh (CCIE # 20184 - Security)
>
> On Fri, Mar 14, 2008 at 9:55 PM, Carlos G Mendioroz <tron@huapi.ba.ar>
> wrote:
>
>> You need, try it.
>> Seeing I'm not the only one, I did lab it (7.2).
>> And the answer is ... security_level <> 100.
>>
>> I made an interface "outside" and could login w/o trouble.
>> But as soon as I changed the sec level to 90, the telnet connects
>> but you get no service (i.e. no password or login prompt)
>>
>> So telnet only works on sec level 100 interfaces (wich is an ok
>> policy for me!, just wanted to know it :)
>>
>> -Carlos
>> P.S.
>> no takers on why transparent pix does PING destination to learn its mac?
>>
>> Hoogen @ 14/3/2008 16:30 -0600 dixit:
>>> I dont think you need an static nat statement...just enabling telnet on
>> the
>>> outside interface is good enough...
>>>
>>> Well Carlos you are right you can name anything you like to...outside is
>>> just that mostly internet links are connected to...so the outside world
>> can
>>> access it..least secure zone..usually zero...But you can even name it
>>> internet give it a security level of 30 too...just have to remember that
>>> your more secure zones...servers placed in dmz or your internal lan
>> inside
>>> zones need to have more security level..and not lesser than the outside
>> or
>>> internet zone...
>>>
>>> -Hoogen
>>>
>>>
>>> On 3/14/08, Tony Varriale <tvarriale@flamboyaninc.com> wrote:
>>>> The nameif command and the security-level.
>>>>
>>>>
>>>> Tony
>>>>
>>>> -----Original Message-----
>>>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>>>> Carlos G Mendioroz
>>>> Sent: Friday, March 14, 2008 11:59 AM
>>>> To: ccielab@groupstudy.com
>>>> Subject: OT?: What makes the outside interface "outside" ?
>>>>
>>>> Pixen do not allow telnet to the outside interface w/o ipsec.
>>>> There are a number of ways out (ipsec, static to inside, etc).
>>>>
>>>> But what makes an interface an "outside" interface ? The name ?
>>>> The sec level ? Just curious if somebody knows (and lazy to go
>>>> and lab it up!)
>>>>
>>>> Regards,
>>>> -Carlos
>>>> --
>>>> Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>> --
>> Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
--
Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina
This archive was generated by hypermail 2.1.4
: Tue Apr 01 2008 - 07:53:53 ART