Re: What makes the outside interface "outside" ?

From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Sat Mar 15 2008 - 13:00:22 ARST

• Next message: Tony Schaffran \(GS\): "RE: CCIE# for rent"
• Previous message: Carlos G Mendioroz: "Re: What makes the outside interface "outside" ?"
• Maybe in reply to: Carlos G Mendioroz: "Re: What makes the outside interface "outside" ?"
• Next in thread: Farrukh Haroon: "Re: What makes the outside interface "outside" ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Ok..i really did not want to hear the sound of my lab again (for a few
weeks)......but u forced me :)

Switch1#telnet 10.10.10.10
Trying 10.10.10.10 ... Open

User Access Verification

Password:
Type help or '?' for a list of available commands.
Rack05ASA/c1>en

show run interface
interface Ethernet1
 nameif Inside
 *security-level 1*
 ip address 10.10.10.10 255.255.255.0 standby 10.10.10.253

Cisco PIX Security Appliance Software Version 7.2(1)

Rack05ASA/c1(config)# show conn all
3 in use, 3 most used
*TCP out 10.10.10.222:63489 in 10.10.10.10:23 idle 0:00:03 bytes 362 flags
UIOB*

Regards

Farrukh (CCIE # 20184 - Security)

On Sat, Mar 15, 2008 at 5:35 PM, Carlos G Mendioroz <tron@huapi.ba.ar>
wrote:

> Just for the record, I repeated the test of taking an
> inside interface to a level <> 100 and that locks telnet out.
>
> pixfirewall(config-if)# sh run int
> !
> interface Ethernet0
> nameif inside
> security-level 50
> ip address 192.168.100.21 255.255.0.0
> !
> interface Ethernet1
> shutdown
> no nameif
> no security-level
> no ip address
> pixfirewall(config-if)# sh run telnet
> telnet 192.168.100.0 255.255.255.0 inside
> telnet timeout 5
> pixfirewall(config-if)# sh ver
>
> Cisco PIX Security Appliance Software Version 7.2(2)
>
> Compiled on Wed 22-Nov-06 14:16 by builders
> System image file is "flash:/pix722.bin"
> Config file at boot was "startup-config"
>
> pixfirewall up 15 hours 22 mins
>
> Hardware: PIX-515, 128 MB RAM, CPU Pentium 200 MHz
> Flash i28F640J5 @ 0x300, 16MB
> BIOS Flash AT29C257 @ 0xfffd8000, 32KB
>
> -Carlos
>
> Farrukh Haroon @ 14/03/2008 17:37 -0200 dixit:
> > Carlos I'm afraid your findings are incorrect, one can telnet to
> security
> > level 90 or all the way upto sec-level 1 interfaces, as long as the
> > appropriate 'telnet <ip> <mask> <interface' command is there.
> >
> > One cannot telnet to the outside (sec-level 0) interface. A VPN
> connection
> > needs to be setup in order to make that work. SSH works of course.
> >
> > Regarding the original question, the 'nameif outside' command tells the
> > PIX/ASA which interface is the outside. For any nameif other than
> 'inside',
> > the OS automatically sets the security-level to 0 (this includes nameif
> > outside, dmz, internet, abcd etc).
> >
> > "no takers on why transparent pix does PING destination to learn its
> mac?"
> >
> > Can you please clarify your question there? Are you referring to this:
> >
> >
> http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/bridga
> > rp.html#wp1039938
> >
> > "Packets for remote devices The security appliance generates a ping to
> the
> > destination IP address so that the security appliance can learn which
> > interface receives the ping reply."
> >
> > If Yes, then CCO answers your question: "so that the security appliance
> can
> > learn which interface receives the ping reply"
> >
> > Regards
> >
> > Farrukh (CCIE # 20184 - Security)
> >
> > On Fri, Mar 14, 2008 at 9:55 PM, Carlos G Mendioroz <tron@huapi.ba.ar>
> > wrote:
> >
> >> You need, try it.
> >> Seeing I'm not the only one, I did lab it (7.2).
> >> And the answer is ... security_level <> 100.
> >>
> >> I made an interface "outside" and could login w/o trouble.
> >> But as soon as I changed the sec level to 90, the telnet connects
> >> but you get no service (i.e. no password or login prompt)
> >>
> >> So telnet only works on sec level 100 interfaces (wich is an ok
> >> policy for me!, just wanted to know it :)
> >>
> >> -Carlos
> >> P.S.
> >> no takers on why transparent pix does PING destination to learn its
> mac?
> >>
> >> Hoogen @ 14/3/2008 16:30 -0600 dixit:
> >>> I dont think you need an static nat statement...just enabling telnet
> on
> >> the
> >>> outside interface is good enough...
> >>>
> >>> Well Carlos you are right you can name anything you like to...outside
> is
> >>> just that mostly internet links are connected to...so the outside
> world
> >> can
> >>> access it..least secure zone..usually zero...But you can even name it
> >>> internet give it a security level of 30 too...just have to remember
> that
> >>> your more secure zones...servers placed in dmz or your internal lan
> >> inside
> >>> zones need to have more security level..and not lesser than the
> outside
> >> or
> >>> internet zone...
> >>>
> >>> -Hoogen
> >>>
> >>>
> >>> On 3/14/08, Tony Varriale <tvarriale@flamboyaninc.com> wrote:
> >>>> The nameif command and the security-level.
> >>>>
> >>>>
> >>>> Tony
> >>>>
> >>>> -----Original Message-----
> >>>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> >>>> Carlos G Mendioroz
> >>>> Sent: Friday, March 14, 2008 11:59 AM
> >>>> To: ccielab@groupstudy.com
> >>>> Subject: OT?: What makes the outside interface "outside" ?
> >>>>
> >>>> Pixen do not allow telnet to the outside interface w/o ipsec.
> >>>> There are a number of ways out (ipsec, static to inside, etc).
> >>>>
> >>>> But what makes an interface an "outside" interface ? The name ?
> >>>> The sec level ? Just curious if somebody knows (and lazy to go
> >>>> and lab it up!)
> >>>>
> >>>> Regards,
> >>>> -Carlos
> >>>> --
> >>>> Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina
> >>>>
> >>>>
> _______________________________________________________________________
> >>>> Subscription information may be found at:
> >>>> http://www.groupstudy.com/list/CCIELab.html
> >>>>
> >>>>
> _______________________________________________________________________
> >>>> Subscription information may be found at:
> >>>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> >> --
> >> Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>
> --
> Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina

• Next message: Tony Schaffran \(GS\): "RE: CCIE# for rent"
• Previous message: Carlos G Mendioroz: "Re: What makes the outside interface "outside" ?"
• Maybe in reply to: Carlos G Mendioroz: "Re: What makes the outside interface "outside" ?"
• Next in thread: Farrukh Haroon: "Re: What makes the outside interface "outside" ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Apr 01 2008 - 07:53:53 ART