From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Thu Mar 19 2009 - 06:10:28 ART
I tested it with some 7.2.x release (don't remember) a year ago, did not
work for me. But it should as per CCO.
As you hinted, there was a serious bug with this feature announced by Cisco.
Regards
Farrukh
On Wed, Mar 18, 2009 at 4:37 PM, Shahid Ansari <shahid1357@gmail.com> wrote:
>
>
> if you use set connection decrement-ttl command to just decrement TTL
> value **in non-bug release IOS .
> Can you able to see Firewall in Traceroute output ?
>
>
> Thanks
> Shahid Ansari
>
>
>
>
> On Wed, Mar 18, 2009 at 4:12 PM, Farrukh Haroon <farrukhharoon@gmail.com>wrote:
>
>> Edouard, this is nothing new, this is part of the 'security through
>> obscurity' model employed by security devices. Even you cannot see the
>> firewall in the traceroute output, as by default the Cisco firewalls do
>> not
>> decrement the TTL value.
>>
>> Regards
>>
>> Farrukh
>>
>> On Wed, Mar 18, 2009 at 4:02 PM, Edouard Zorrilla <ezorrilla@tsf.com.pe
>> >wrote:
>>
>> > I have tested and you are right, I can not ping outside address from
>> inside
>> > host even with the "management-access outside" command,
>> >
>> > Do any one ? I can not believe I can not ping !!!,
>> >
>> > Regards
>> >
>> > ----- Original Message ----- From: "Farrukh Haroon" <
>> > farrukhharoon@gmail.com>
>> > To: "marish shah" <contactmarish@gmail.com>
>> > Cc: "groupstudy" <ccielab@groupstudy.com>
>> > Sent: Tuesday, March 17, 2009 9:12 AM
>> > Subject: Re: PIX PROBLEM
>> >
>> >
>> >
>> > If you are trying to ping the DMZ interface's IP while coming from any
>> >> other
>> >> interface (outside or inside) it wont work! This is one of the 'elite'
>> >> security features of the Cisco firewalls :)
>> >>
>> >> You can either ping the interface to which you are connected to, or
>> ping
>> >> any
>> >> device connected to the PIX on the DMZ segment.
>> >>
>> >> Regards
>> >>
>> >> Farrukh
>> >>
>> >> On Tue, Mar 17, 2009 at 1:37 PM, marish shah <contactmarish@gmail.com
>> >> >wrote:
>> >>
>> >> Hi guys ,
>> >>> I have pix 515 inside to dmz and dmz to outside .but its not working
>> >>> because I can't ping my dmz plz check my configuration its ok or not
>> >>>
>> >>> pix515e(config)# sh run
>> >>> : Saved
>> >>> :
>> >>> PIX Version 6.2(2)
>> >>> nameif ethernet0 outside security0
>> >>> nameif ethernet1 inside security100
>> >>> nameif ethernet2 DMZ security10
>> >>> enable password uz71UN9FHpuvfuPq encrypted
>> >>> passwd uz71UN9FHpuvfuPq encrypted
>> >>> hostname pix515e
>> >>> domain-name ciscopix.com
>> >>> fixup protocol ftp 21
>> >>> fixup protocol http 80
>> >>> fixup protocol h323 h225 1720
>> >>> fixup protocol h323 ras 1718-1719
>> >>> fixup protocol ils 389
>> >>> fixup protocol rsh 514
>> >>> fixup protocol rtsp 554
>> >>> fixup protocol sqlnet 1521
>> >>> fixup protocol sip 5060
>> >>> fixup protocol skinny 2000
>> >>> no fixup protocol smtp 25
>> >>> names
>> >>> access-list acl_inside permit ip any any
>> >>> access-list acl_inside permit tcp any host 192.168.4.40 eq 34336
>> >>> access-list acl_inside permit tcp any host 192.168.4.40 eq 34334
>> >>> access-list acl_inside permit tcp any host 192.168.4.40 eq 7777
>> >>> access-list acl_inside permit tcp any host 192.168.4.40 eq 34335
>> >>> access-list acl_inside permit tcp any any
>> >>> access-list acl_inside permit ip any host 192.168.129.183
>> >>> access-list acl_inside permit ip any host 192.168.130.176
>> >>> access-list acl_outside permit icmp any any
>> >>> access-list acl_outside permit tcp any host 192.168.129.183 eq 7777
>> >>> access-list acl_outside permit tcp any host 192.168.129.183 eq 34335
>> >>> access-list acl_outside permit tcp any host 192.168.130.176 eq 7777
>> >>> access-list acl_outside permit tcp any host 192.168.130.176 eq 34335
>> >>> access-list acl_outside permit tcp any host 192.168.129.183 eq 34336
>> >>> access-list acl_outside permit tcp any host 192.168.130.176 eq 34334
>> >>> access-list acl_outside permit tcp any any
>> >>> access-list acl_outside permit ip any any
>> >>> access-list acl_outside permit ip any host 192.168.130.176
>> >>> access-list acl_DMZ permit icmp any any
>> >>> access-list acl_DMZ permit tcp any any
>> >>> access-list acl_DMZ permit ip any any
>> >>> access-list acl_DMZ permit ip 192.168.130.0 255.255.255.0 any
>> >>> access-list acl_DMZ permit tcp 192.168.130.0 255.255.255.0 any
>> >>> access-list acl_DMZ permit ip any 192.168.130.0 255.255.255.0
>> >>> access-list acl_DMZ permit tcp any 192.168.130.0 255.255.255.0
>> >>> pager lines 24
>> >>> logging host inside 192.168.4.155
>> >>> interface ethernet0 auto
>> >>> interface ethernet1 auto
>> >>> interface ethernet2 auto
>> >>> mtu outside 1500
>> >>> mtu inside 1500
>> >>> mtu DMZ 1500
>> >>> ip address outside 192.168.129.197 255.255.255.0
>> >>> ip address inside 192.168.6.239 255.255.255.0
>> >>> ip address DMZ 192.168.130.197 255.255.255.0
>> >>> ip audit info action alarm
>> >>> ip audit attack action alarm
>> >>> pdm logging informational 100
>> >>> pdm history enable
>> >>> arp timeout 14400
>> >>> global (outside) 1 interface
>> >>> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
>> >>> nat (DMZ) 1 0.0.0.0 0.0.0.0 0 0
>> >>> static (DMZ,inside) tcp 192.168.4.40 34335 192.168.130.176 34335
>> netmask
>> >>> 255.255
>> >>> .255.255 0 0
>> >>> static (inside,DMZ) tcp 192.168.130.176 34335 192.168.4.40 34335
>> netmask
>> >>> 255.255
>> >>> .255.255 0 0
>> >>> static (inside,DMZ) 192.168.4.0 192.168.4.0 netmask 255.255.255.0 0 0
>> >>> static (DMZ,inside) 192.168.130.0 192.168.130.0 netmask 255.255.255.0
>> 0 0
>> >>> static (DMZ,outside) 192.168.130.0 192.168.130.0 netmask 255.255.255.0
>> 0
>> >>> 0
>> >>> static (outside,DMZ) 192.168.129.0 192.168.129.0 netmask 255.255.255.0
>> 0
>> >>> 0
>> >>> access-group acl_outside in interface outside
>> >>> access-group acl_inside in interface inside
>> >>> access-group acl_DMZ in interface DMZ
>> >>> route outside 0.0.0.0 0.0.0.0 192.168.129.253 1
>> >>> route inside 192.168.4.0 255.255.255.0 192.168.6.239 1
>> >>> timeout xlate 3:00:00
>> >>> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
>> >>> 0:05:00 si
>> >>> p 0:30:00 sip_media 0:02:00
>> >>> timeout uauth 0:05:00 absolute
>> >>> aaa-server TACACS+ protocol tacacs+
>> >>> aaa-server RADIUS protocol radius
>> >>> aaa-server LOCAL protocol local
>> >>> http server enable
>> >>> http 192.168.1.0 255.255.255.0 inside
>> >>> http 192.168.4.0 255.255.255.0 inside
>> >>> http 192.168.6.0 255.255.255.0 inside
>> >>> no snmp-server location
>> >>> no snmp-server contact
>> >>> snmp-server community public
>> >>> no snmp-server enable traps
>> >>> floodguard enable
>> >>> no sysopt route dnat
>> >>> telnet 192.168.4.0 255.255.255.0 inside
>> >>> telnet 192.168.1.1 255.255.255.255 inside
>> >>> telnet 192.168.3.0 255.255.255.0 inside
>> >>> telnet 192.168.6.0 255.255.255.0 inside
>> >>> telnet 192.168.1.1 255.255.255.255 DMZ
>> >>> telnet timeout 5
>> >>> ssh timeout 5
>> >>> dhcpd lease 3600
>> >>> dhcpd ping_timeout 750
>> >>> dhcpd auto_config outside
>> >>> terminal width 80
>> >>> Cryptochecksum:b97566d452e537c6a39fea284501b373
>> >>> : end
>> >>> pix515e(config)#
>> >>>
>> >>>
>> >>> Blogs and organic groups at http://www.ccie.net
>> >>>
>> >>>
>> _______________________________________________________________________
>> >>> Subscription information may be found at:
>> >>> http://www.groupstudy.com/list/CCIELab.html
>> >>>
>> >>
>> >>
>> >> Blogs and organic groups at http://www.ccie.net
>> >>
>> >> _______________________________________________________________________
>> >> Subscription information may be found at:
>> >> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:05 ART