If I were to reassign the IP address, I could take your site down. For some
this could cost $$$. Anyway, the more you allow anything (including people)
to interact with the outside world (outside of itself) the more verlnerable
it becomes to subversion. A philosophy, not a hard fact. A paranoid point
of view says I can count on no one, but myself. I trust no one, but myself.
So in that way, is DHCP a security risk.
Cisco Secure VPN Client is the software. ip local pool isn't involved in
assigning the remote computer an ip address, but rather the ip stays local
and a dynamic NAT translation is built in the PIX for the remote computer.
Basically, the an IP from the pool becomes the tunnel end point. There's
many reasons you want to do this, but the biggest is port conficts. If 10
remotes all have shared hard drives and appear as the inside IP address of
the PIX, then how would you attach and mount one of them? all 10 machines
would be using the same port number. Or, what if there were some protocols
which travel down the tunnel and some that didn't, how would it be decided
which traffic took which path? What if you had an HR policy that
prohibited the viewing of pornography, the VNP client would force everything
through the tunnel, where your Internet usage could be logged, monitored, or
proxied. Responces from the porno sites would have to travel back to the
PIX end then through the tunnel and couldn't come straight to you.
etc. etc. etc.
Rodgers Moore
""Cthulu, CCIE Candidate"" <[EMAIL PROTECTED]> wrote in message
8qdk8l$ssv$[EMAIL PROTECTED]">news:8qdk8l$ssv$[EMAIL PROTECTED]...
> Hey, Rodgers,
>
> Thanks! Hope you don't mind, you are the only one to respond directly,
can
> you answer these?
>
> Why would getting an IP address dynamically assigned to the PIX's outside
> interface be a security risk?
>
>
> Also, if the PIX can't act as a DHCP server, what the heck is this
command
> for:
>
> ip local pool
>
> "The ip local pool command lets you create a pool of local addresses to be
> used for assigning dynamic
> ip addresses to remote VPN clients. The address range of this pool of
local
> addresses must not overlap
> with any command statement that lets you specify an IP address. To delete
an
> address pool, use the no
> ip local pool command. Use the show ip local pool command to view usage
> information about the pool
> of local addresses."
>
> If I read that correctly, I can run some VPN software on my"remote"
computer
> and have it get an IP address from the PIX? (inside interface?)
>
> TIA,
>
> Charles
>
>
>
> ""Rodgers Moore"" <[EMAIL PROTECTED]> wrote in message
> 8qdh7m$94h$[EMAIL PROTECTED]">news:8qdh7m$94h$[EMAIL PROTECTED]...
> > Nope. Besides that would be contrary to good security policy.
> >
> > Rodgers Moore
> >
> > ""Cthulu, CCIE Candidate"" <[EMAIL PROTECTED]> wrote in
message
> > 8qb0n2$cip$[EMAIL PROTECTED]">news:8qb0n2$cip$[EMAIL PROTECTED]...
> > > Hi, all,
> > >
> > > Sorry for the cutesy subject header. I just got aholt of a Pix
> firewall;
> > t
> > > was laying the office and I stumbled over it on my way to the vending
> > > machine to pick up some Oreos. After I ate my Oreos (a little stale,
> > thanks
> > > for asking), I realized that this was a Pix firewall! I am 100% new
to
> > the
> > > PIX, but that's irrelevant...
> > >
> > > I immediately put it on our network like this:
> > >
> > > My laptop <-----> Ethernet 1 PIX Firewall Ethernet 0
> <------->Catalyst
> > > 2900XL
> > >
> > > Anyways, I am going to learn it, adn learn it good. My question is:
> can
> > I
> > > set up any of the interfaces to dynamically acquire an IP address via
> > DHCP?
> > > I want ehternet 0 to acquire an IP address from our DHCP server.
> > >
> > > If the PIX supports it, I will put a DHCP server on it to service my
> > laptop
> > > on ethernet 1. if it doesn't I am going to statically assign an IP
> > address
> > > to teh laptop and to ethernet 1, and run NAT to translate between
> > > inside/outside addresses.
> > >
> > > What am I trying to accomplish? Nothing, just a learning experience
for
> > me.
> > > Time to upgrade the image!
> > >
> > >
> > > TIA,
> > >
> > > Charles
> > >
> > >
> > >
> > >
> > > **NOTE: New CCNA/CCDA List has been formed. For more information go to
> > > http://www.groupstudy.com/list/Associates.html
> > > _________________________________
> > > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> > > FAQ, list archives, and subscription info: http://www.groupstudy.com
> > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> > >
> >
> >
> > **NOTE: New CCNA/CCDA List has been formed. For more information go to
> > http://www.groupstudy.com/list/Associates.html
> > _________________________________
> > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> > FAQ, list archives, and subscription info: http://www.groupstudy.com
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >
>
>
> **NOTE: New CCNA/CCDA List has been formed. For more information go to
> http://www.groupstudy.com/list/Associates.html
> _________________________________
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
