Re: What makes the outside interface "outside" ?

From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Sat Mar 15 2008 - 13:06:28 ARST

To further clarify:

Rack05ASA/c1(config)# int eth 1
Rack05ASA/c1(config-if)# security-level 0

Switch1#telnet 10.10.10.10
Trying 10.10.10.10 ... Open

No username prompt...

ASA...actually its a PIX :) log:

%PIX-4-402117: IPSEC: Received a non-IPSec packet (protocol= tcp) from
10.10.10.222 to 10.10.10.10.

Rack05ASA/c1(config)# int eth 1
%PIX-5-111008: User 'enable_15' executed the 'interface Ethernet 1' command.
Rack05ASA/c1(config-if)# security-level 1

Switch1#telnet 10.10.10.10
Trying 10.10.10.10 ... Open

User Access Verification

Password

%PIX-7-710002: TCP access permitted from 10.10.10.222/65025 to Inside:
10.10.10.10/telnet

HTH :)

Farrukh

On Sat, Mar 15, 2008 at 6:00 PM, Farrukh Haroon <farrukhharoon@gmail.com>
wrote:

> Ok..i really did not want to hear the sound of my lab again (for a few
> weeks)......but u forced me :)
>
> Switch1#telnet 10.10.10.10
> Trying 10.10.10.10 ... Open
>
> User Access Verification
>
> Password:
> Type help or '?' for a list of available commands.
> Rack05ASA/c1>en
>
> show run interface
> interface Ethernet1
> nameif Inside
> *security-level 1*
> ip address 10.10.10.10 255.255.255.0 standby 10.10.10.253
>
> Cisco PIX Security Appliance Software Version 7.2(1)
>
> Rack05ASA/c1(config)# show conn all
> 3 in use, 3 most used
> *TCP out 10.10.10.222:63489 in 10.10.10.10:23 idle 0:00:03 bytes 362 flags
> UIOB*
>
> Regards
>
> Farrukh (CCIE # 20184 - Security)
>
> On Sat, Mar 15, 2008 at 5:35 PM, Carlos G Mendioroz <tron@huapi.ba.ar>
> wrote:
>
> > Just for the record, I repeated the test of taking an
> > inside interface to a level <> 100 and that locks telnet out.
> >
> > pixfirewall(config-if)# sh run int
> > !
> > interface Ethernet0
> > nameif inside
> > security-level 50
> > ip address 192.168.100.21 255.255.0.0
> > !
> > interface Ethernet1
> > shutdown
> > no nameif
> > no security-level
> > no ip address
> > pixfirewall(config-if)# sh run telnet
> > telnet 192.168.100.0 255.255.255.0 inside
> > telnet timeout 5
> > pixfirewall(config-if)# sh ver
> >
> > Cisco PIX Security Appliance Software Version 7.2(2)
> >
> > Compiled on Wed 22-Nov-06 14:16 by builders
> > System image file is "flash:/pix722.bin"
> > Config file at boot was "startup-config"
> >
> > pixfirewall up 15 hours 22 mins
> >
> > Hardware: PIX-515, 128 MB RAM, CPU Pentium 200 MHz
> > Flash i28F640J5 @ 0x300, 16MB
> > BIOS Flash AT29C257 @ 0xfffd8000, 32KB
> >
> > -Carlos
> >
> > Farrukh Haroon @ 14/03/2008 17:37 -0200 dixit:
> > > Carlos I'm afraid your findings are incorrect, one can telnet to
> > security
> > > level 90 or all the way upto sec-level 1 interfaces, as long as the
> > > appropriate 'telnet <ip> <mask> <interface' command is there.
> > >
> > > One cannot telnet to the outside (sec-level 0) interface. A VPN
> > connection
> > > needs to be setup in order to make that work. SSH works of course.
> > >
> > > Regarding the original question, the 'nameif outside' command tells
> > the
> > > PIX/ASA which interface is the outside. For any nameif other than
> > 'inside',
> > > the OS automatically sets the security-level to 0 (this includes
> > nameif
> > > outside, dmz, internet, abcd etc).
> > >
> > > "no takers on why transparent pix does PING destination to learn its
> > mac?"
> > >
> > > Can you please clarify your question there? Are you referring to this:
> > >
> > >
> > http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/bridga
> > > rp.html#wp1039938
> > >
> > > "Packets for remote devices The security appliance generates a ping to
> > the
> > > destination IP address so that the security appliance can learn which
> > > interface receives the ping reply."
> > >
> > > If Yes, then CCO answers your question: "so that the security
> > appliance can
> > > learn which interface receives the ping reply"
> > >
> > > Regards
> > >
> > > Farrukh (CCIE # 20184 - Security)
> > >
> > > On Fri, Mar 14, 2008 at 9:55 PM, Carlos G Mendioroz <tron@huapi.ba.ar>
> > > wrote:
> > >
> > >> You need, try it.
> > >> Seeing I'm not the only one, I did lab it (7.2).
> > >> And the answer is ... security_level <> 100.
> > >>
> > >> I made an interface "outside" and could login w/o trouble.
> > >> But as soon as I changed the sec level to 90, the telnet connects
> > >> but you get no service (i.e. no password or login prompt)
> > >>
> > >> So telnet only works on sec level 100 interfaces (wich is an ok
> > >> policy for me!, just wanted to know it :)
> > >>
> > >> -Carlos
> > >> P.S.
> > >> no takers on why transparent pix does PING destination to learn its
> > mac?
> > >>
> > >> Hoogen @ 14/3/2008 16:30 -0600 dixit:
> > >>> I dont think you need an static nat statement...just enabling telnet
> > on
> > >> the
> > >>> outside interface is good enough...
> > >>>
> > >>> Well Carlos you are right you can name anything you like
> > to...outside is
> > >>> just that mostly internet links are connected to...so the outside
> > world
> > >> can
> > >>> access it..least secure zone..usually zero...But you can even name
> > it
> > >>> internet give it a security level of 30 too...just have to remember
> > that
> > >>> your more secure zones...servers placed in dmz or your internal lan
> > >> inside
> > >>> zones need to have more security level..and not lesser than the
> > outside
> > >> or
> > >>> internet zone...
> > >>>
> > >>> -Hoogen
> > >>>
> > >>>
> > >>> On 3/14/08, Tony Varriale <tvarriale@flamboyaninc.com> wrote:
> > >>>> The nameif command and the security-level.
> > >>>>
> > >>>>
> > >>>> Tony
> > >>>>
> > >>>> -----Original Message-----
> > >>>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> > Behalf Of
> > >>>> Carlos G Mendioroz
> > >>>> Sent: Friday, March 14, 2008 11:59 AM
> > >>>> To: ccielab@groupstudy.com
> > >>>> Subject: OT?: What makes the outside interface "outside" ?
> > >>>>
> > >>>> Pixen do not allow telnet to the outside interface w/o ipsec.
> > >>>> There are a number of ways out (ipsec, static to inside, etc).
> > >>>>
> > >>>> But what makes an interface an "outside" interface ? The name ?
> > >>>> The sec level ? Just curious if somebody knows (and lazy to go
> > >>>> and lab it up!)
> > >>>>
> > >>>> Regards,
> > >>>> -Carlos
> > >>>> --
> > >>>> Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina
> > >>>>
> > >>>>
> > _______________________________________________________________________
> > >>>> Subscription information may be found at:
> > >>>> http://www.groupstudy.com/list/CCIELab.html
> > >>>>
> > >>>>
> > _______________________________________________________________________
> > >>>> Subscription information may be found at:
> > >>>> http://www.groupstudy.com/list/CCIELab.html
> > >>>
> > _______________________________________________________________________
> > >>> Subscription information may be found at:
> > >>> http://www.groupstudy.com/list/CCIELab.html
> > >>>
> > >> --
> > >> Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina
> > >>
> > >>
> > _______________________________________________________________________
> > >> Subscription information may be found at:
> > >> http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> >
> > --
> > Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina

This archive was generated by hypermail 2.1.4 : Tue Apr 01 2008 - 07:53:53 ART