Re: PIX PROBLEM

From: Shahid Ansari (shahid1357@gmail.com)
Date: Wed Mar 18 2009 - 10:37:07 ART

if you use set connection decrement-ttl command to just decrement TTL value
**in non-bug release IOS .
Can you able to see Firewall in Traceroute output ?

Thanks
Shahid Ansari

On Wed, Mar 18, 2009 at 4:12 PM, Farrukh Haroon <farrukhharoon@gmail.com>wrote:

> Edouard, this is nothing new, this is part of the 'security through
> obscurity' model employed by security devices. Even you cannot see the
> firewall in the traceroute output, as by default the Cisco firewalls do not
> decrement the TTL value.
>
> Regards
>
> Farrukh
>
> On Wed, Mar 18, 2009 at 4:02 PM, Edouard Zorrilla <ezorrilla@tsf.com.pe
> >wrote:
>
> > I have tested and you are right, I can not ping outside address from
> inside
> > host even with the "management-access outside" command,
> >
> > Do any one ? I can not believe I can not ping !!!,
> >
> > Regards
> >
> > ----- Original Message ----- From: "Farrukh Haroon" <
> > farrukhharoon@gmail.com>
> > To: "marish shah" <contactmarish@gmail.com>
> > Cc: "groupstudy" <ccielab@groupstudy.com>
> > Sent: Tuesday, March 17, 2009 9:12 AM
> > Subject: Re: PIX PROBLEM
> >
> >
> >
> > If you are trying to ping the DMZ interface's IP while coming from any
> >> other
> >> interface (outside or inside) it wont work! This is one of the 'elite'
> >> security features of the Cisco firewalls :)
> >>
> >> You can either ping the interface to which you are connected to, or ping
> >> any
> >> device connected to the PIX on the DMZ segment.
> >>
> >> Regards
> >>
> >> Farrukh
> >>
> >> On Tue, Mar 17, 2009 at 1:37 PM, marish shah <contactmarish@gmail.com
> >> >wrote:
> >>
> >> Hi guys ,
> >>> I have pix 515 inside to dmz and dmz to outside .but its not working
> >>> because I can't ping my dmz plz check my configuration its ok or not
> >>>
> >>> pix515e(config)# sh run
> >>> : Saved
> >>> :
> >>> PIX Version 6.2(2)
> >>> nameif ethernet0 outside security0
> >>> nameif ethernet1 inside security100
> >>> nameif ethernet2 DMZ security10
> >>> enable password uz71UN9FHpuvfuPq encrypted
> >>> passwd uz71UN9FHpuvfuPq encrypted
> >>> hostname pix515e
> >>> domain-name ciscopix.com
> >>> fixup protocol ftp 21
> >>> fixup protocol http 80
> >>> fixup protocol h323 h225 1720
> >>> fixup protocol h323 ras 1718-1719
> >>> fixup protocol ils 389
> >>> fixup protocol rsh 514
> >>> fixup protocol rtsp 554
> >>> fixup protocol sqlnet 1521
> >>> fixup protocol sip 5060
> >>> fixup protocol skinny 2000
> >>> no fixup protocol smtp 25
> >>> names
> >>> access-list acl_inside permit ip any any
> >>> access-list acl_inside permit tcp any host 192.168.4.40 eq 34336
> >>> access-list acl_inside permit tcp any host 192.168.4.40 eq 34334
> >>> access-list acl_inside permit tcp any host 192.168.4.40 eq 7777
> >>> access-list acl_inside permit tcp any host 192.168.4.40 eq 34335
> >>> access-list acl_inside permit tcp any any
> >>> access-list acl_inside permit ip any host 192.168.129.183
> >>> access-list acl_inside permit ip any host 192.168.130.176
> >>> access-list acl_outside permit icmp any any
> >>> access-list acl_outside permit tcp any host 192.168.129.183 eq 7777
> >>> access-list acl_outside permit tcp any host 192.168.129.183 eq 34335
> >>> access-list acl_outside permit tcp any host 192.168.130.176 eq 7777
> >>> access-list acl_outside permit tcp any host 192.168.130.176 eq 34335
> >>> access-list acl_outside permit tcp any host 192.168.129.183 eq 34336
> >>> access-list acl_outside permit tcp any host 192.168.130.176 eq 34334
> >>> access-list acl_outside permit tcp any any
> >>> access-list acl_outside permit ip any any
> >>> access-list acl_outside permit ip any host 192.168.130.176
> >>> access-list acl_DMZ permit icmp any any
> >>> access-list acl_DMZ permit tcp any any
> >>> access-list acl_DMZ permit ip any any
> >>> access-list acl_DMZ permit ip 192.168.130.0 255.255.255.0 any
> >>> access-list acl_DMZ permit tcp 192.168.130.0 255.255.255.0 any
> >>> access-list acl_DMZ permit ip any 192.168.130.0 255.255.255.0
> >>> access-list acl_DMZ permit tcp any 192.168.130.0 255.255.255.0
> >>> pager lines 24
> >>> logging host inside 192.168.4.155
> >>> interface ethernet0 auto
> >>> interface ethernet1 auto
> >>> interface ethernet2 auto
> >>> mtu outside 1500
> >>> mtu inside 1500
> >>> mtu DMZ 1500
> >>> ip address outside 192.168.129.197 255.255.255.0
> >>> ip address inside 192.168.6.239 255.255.255.0
> >>> ip address DMZ 192.168.130.197 255.255.255.0
> >>> ip audit info action alarm
> >>> ip audit attack action alarm
> >>> pdm logging informational 100
> >>> pdm history enable
> >>> arp timeout 14400
> >>> global (outside) 1 interface
> >>> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> >>> nat (DMZ) 1 0.0.0.0 0.0.0.0 0 0
> >>> static (DMZ,inside) tcp 192.168.4.40 34335 192.168.130.176 34335
> netmask
> >>> 255.255
> >>> .255.255 0 0
> >>> static (inside,DMZ) tcp 192.168.130.176 34335 192.168.4.40 34335
> netmask
> >>> 255.255
> >>> .255.255 0 0
> >>> static (inside,DMZ) 192.168.4.0 192.168.4.0 netmask 255.255.255.0 0 0
> >>> static (DMZ,inside) 192.168.130.0 192.168.130.0 netmask 255.255.255.0 0
> 0
> >>> static (DMZ,outside) 192.168.130.0 192.168.130.0 netmask 255.255.255.0
> 0
> >>> 0
> >>> static (outside,DMZ) 192.168.129.0 192.168.129.0 netmask 255.255.255.0
> 0
> >>> 0
> >>> access-group acl_outside in interface outside
> >>> access-group acl_inside in interface inside
> >>> access-group acl_DMZ in interface DMZ
> >>> route outside 0.0.0.0 0.0.0.0 192.168.129.253 1
> >>> route inside 192.168.4.0 255.255.255.0 192.168.6.239 1
> >>> timeout xlate 3:00:00
> >>> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> >>> 0:05:00 si
> >>> p 0:30:00 sip_media 0:02:00
> >>> timeout uauth 0:05:00 absolute
> >>> aaa-server TACACS+ protocol tacacs+
> >>> aaa-server RADIUS protocol radius
> >>> aaa-server LOCAL protocol local
> >>> http server enable
> >>> http 192.168.1.0 255.255.255.0 inside
> >>> http 192.168.4.0 255.255.255.0 inside
> >>> http 192.168.6.0 255.255.255.0 inside
> >>> no snmp-server location
> >>> no snmp-server contact
> >>> snmp-server community public
> >>> no snmp-server enable traps
> >>> floodguard enable
> >>> no sysopt route dnat
> >>> telnet 192.168.4.0 255.255.255.0 inside
> >>> telnet 192.168.1.1 255.255.255.255 inside
> >>> telnet 192.168.3.0 255.255.255.0 inside
> >>> telnet 192.168.6.0 255.255.255.0 inside
> >>> telnet 192.168.1.1 255.255.255.255 DMZ
> >>> telnet timeout 5
> >>> ssh timeout 5
> >>> dhcpd lease 3600
> >>> dhcpd ping_timeout 750
> >>> dhcpd auto_config outside
> >>> terminal width 80
> >>> Cryptochecksum:b97566d452e537c6a39fea284501b373
> >>> : end
> >>> pix515e(config)#
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:05 ART