From: Edouard Zorrilla (ezorrilla@tsf.com.pe)
Date: Wed Mar 18 2009 - 10:41:35 ART
So, "management-access <zone>" only works with IPSec, my bad !, I thought I
can do the same with clear traffic.
From:
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/m_72.html#wp1794331
"This command allows you to connect to an interface other than the one you
entered the security appliance from when using IPSec VPN. For example, if
you enter the security appliance from the outside interface, this command
lets you connect to the inside interface using Telnet; or you can ping the
inside interface when entering from the outside interface. "
So, security by obscurity should also work here. I am going down ...
Thanks for clarify.
----- Original Message -----
From: "Farrukh Haroon" <farrukhharoon@gmail.com>
To: "Edouard Zorrilla" <ezorrilla@tsf.com.pe>
Cc: "marish shah" <contactmarish@gmail.com>; "groupstudy"
<ccielab@groupstudy.com>
Sent: Wednesday, March 18, 2009 8:12 AM
Subject: Re: PIX PROBLEM
> Edouard, this is nothing new, this is part of the 'security through
> obscurity' model employed by security devices. Even you cannot see the
> firewall in the traceroute output, as by default the Cisco firewalls do
> not
> decrement the TTL value.
>
> Regards
>
> Farrukh
>
> On Wed, Mar 18, 2009 at 4:02 PM, Edouard Zorrilla
> <ezorrilla@tsf.com.pe>wrote:
>
>> I have tested and you are right, I can not ping outside address from
>> inside
>> host even with the "management-access outside" command,
>>
>> Do any one ? I can not believe I can not ping !!!,
>>
>> Regards
>>
>> ----- Original Message ----- From: "Farrukh Haroon" <
>> farrukhharoon@gmail.com>
>> To: "marish shah" <contactmarish@gmail.com>
>> Cc: "groupstudy" <ccielab@groupstudy.com>
>> Sent: Tuesday, March 17, 2009 9:12 AM
>> Subject: Re: PIX PROBLEM
>>
>>
>>
>> If you are trying to ping the DMZ interface's IP while coming from any
>>> other
>>> interface (outside or inside) it wont work! This is one of the 'elite'
>>> security features of the Cisco firewalls :)
>>>
>>> You can either ping the interface to which you are connected to, or ping
>>> any
>>> device connected to the PIX on the DMZ segment.
>>>
>>> Regards
>>>
>>> Farrukh
>>>
>>> On Tue, Mar 17, 2009 at 1:37 PM, marish shah <contactmarish@gmail.com
>>> >wrote:
>>>
>>> Hi guys ,
>>>> I have pix 515 inside to dmz and dmz to outside .but its not working
>>>> because I can't ping my dmz plz check my configuration its ok or not
>>>>
>>>> pix515e(config)# sh run
>>>> : Saved
>>>> :
>>>> PIX Version 6.2(2)
>>>> nameif ethernet0 outside security0
>>>> nameif ethernet1 inside security100
>>>> nameif ethernet2 DMZ security10
>>>> enable password uz71UN9FHpuvfuPq encrypted
>>>> passwd uz71UN9FHpuvfuPq encrypted
>>>> hostname pix515e
>>>> domain-name ciscopix.com
>>>> fixup protocol ftp 21
>>>> fixup protocol http 80
>>>> fixup protocol h323 h225 1720
>>>> fixup protocol h323 ras 1718-1719
>>>> fixup protocol ils 389
>>>> fixup protocol rsh 514
>>>> fixup protocol rtsp 554
>>>> fixup protocol sqlnet 1521
>>>> fixup protocol sip 5060
>>>> fixup protocol skinny 2000
>>>> no fixup protocol smtp 25
>>>> names
>>>> access-list acl_inside permit ip any any
>>>> access-list acl_inside permit tcp any host 192.168.4.40 eq 34336
>>>> access-list acl_inside permit tcp any host 192.168.4.40 eq 34334
>>>> access-list acl_inside permit tcp any host 192.168.4.40 eq 7777
>>>> access-list acl_inside permit tcp any host 192.168.4.40 eq 34335
>>>> access-list acl_inside permit tcp any any
>>>> access-list acl_inside permit ip any host 192.168.129.183
>>>> access-list acl_inside permit ip any host 192.168.130.176
>>>> access-list acl_outside permit icmp any any
>>>> access-list acl_outside permit tcp any host 192.168.129.183 eq 7777
>>>> access-list acl_outside permit tcp any host 192.168.129.183 eq 34335
>>>> access-list acl_outside permit tcp any host 192.168.130.176 eq 7777
>>>> access-list acl_outside permit tcp any host 192.168.130.176 eq 34335
>>>> access-list acl_outside permit tcp any host 192.168.129.183 eq 34336
>>>> access-list acl_outside permit tcp any host 192.168.130.176 eq 34334
>>>> access-list acl_outside permit tcp any any
>>>> access-list acl_outside permit ip any any
>>>> access-list acl_outside permit ip any host 192.168.130.176
>>>> access-list acl_DMZ permit icmp any any
>>>> access-list acl_DMZ permit tcp any any
>>>> access-list acl_DMZ permit ip any any
>>>> access-list acl_DMZ permit ip 192.168.130.0 255.255.255.0 any
>>>> access-list acl_DMZ permit tcp 192.168.130.0 255.255.255.0 any
>>>> access-list acl_DMZ permit ip any 192.168.130.0 255.255.255.0
>>>> access-list acl_DMZ permit tcp any 192.168.130.0 255.255.255.0
>>>> pager lines 24
>>>> logging host inside 192.168.4.155
>>>> interface ethernet0 auto
>>>> interface ethernet1 auto
>>>> interface ethernet2 auto
>>>> mtu outside 1500
>>>> mtu inside 1500
>>>> mtu DMZ 1500
>>>> ip address outside 192.168.129.197 255.255.255.0
>>>> ip address inside 192.168.6.239 255.255.255.0
>>>> ip address DMZ 192.168.130.197 255.255.255.0
>>>> ip audit info action alarm
>>>> ip audit attack action alarm
>>>> pdm logging informational 100
>>>> pdm history enable
>>>> arp timeout 14400
>>>> global (outside) 1 interface
>>>> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
>>>> nat (DMZ) 1 0.0.0.0 0.0.0.0 0 0
>>>> static (DMZ,inside) tcp 192.168.4.40 34335 192.168.130.176 34335
>>>> netmask
>>>> 255.255
>>>> .255.255 0 0
>>>> static (inside,DMZ) tcp 192.168.130.176 34335 192.168.4.40 34335
>>>> netmask
>>>> 255.255
>>>> .255.255 0 0
>>>> static (inside,DMZ) 192.168.4.0 192.168.4.0 netmask 255.255.255.0 0 0
>>>> static (DMZ,inside) 192.168.130.0 192.168.130.0 netmask 255.255.255.0 0
>>>> 0
>>>> static (DMZ,outside) 192.168.130.0 192.168.130.0 netmask 255.255.255.0
>>>> 0
>>>> 0
>>>> static (outside,DMZ) 192.168.129.0 192.168.129.0 netmask 255.255.255.0
>>>> 0
>>>> 0
>>>> access-group acl_outside in interface outside
>>>> access-group acl_inside in interface inside
>>>> access-group acl_DMZ in interface DMZ
>>>> route outside 0.0.0.0 0.0.0.0 192.168.129.253 1
>>>> route inside 192.168.4.0 255.255.255.0 192.168.6.239 1
>>>> timeout xlate 3:00:00
>>>> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
>>>> 0:05:00 si
>>>> p 0:30:00 sip_media 0:02:00
>>>> timeout uauth 0:05:00 absolute
>>>> aaa-server TACACS+ protocol tacacs+
>>>> aaa-server RADIUS protocol radius
>>>> aaa-server LOCAL protocol local
>>>> http server enable
>>>> http 192.168.1.0 255.255.255.0 inside
>>>> http 192.168.4.0 255.255.255.0 inside
>>>> http 192.168.6.0 255.255.255.0 inside
>>>> no snmp-server location
>>>> no snmp-server contact
>>>> snmp-server community public
>>>> no snmp-server enable traps
>>>> floodguard enable
>>>> no sysopt route dnat
>>>> telnet 192.168.4.0 255.255.255.0 inside
>>>> telnet 192.168.1.1 255.255.255.255 inside
>>>> telnet 192.168.3.0 255.255.255.0 inside
>>>> telnet 192.168.6.0 255.255.255.0 inside
>>>> telnet 192.168.1.1 255.255.255.255 DMZ
>>>> telnet timeout 5
>>>> ssh timeout 5
>>>> dhcpd lease 3600
>>>> dhcpd ping_timeout 750
>>>> dhcpd auto_config outside
>>>> terminal width 80
>>>> Cryptochecksum:b97566d452e537c6a39fea284501b373
>>>> : end
>>>> pix515e(config)#
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:05 ART